I managed to find the GitHub for this app and found a similar issue posted regarding comments not showing up.
There appears to be something wrong with the history table loading:
[https://github.com/simcen/alert_manager/issues/179][1]
Replaced everything in incident_history(1) with the query:
index=alerts incident_id="$incident_id$" | table _time,user,action,details,comment
This helped me resolve it.
If anyone can figure out what is wrong with this one that would be awesome:
eventtype=incident_change incident_id="$incident_id$" | sort - _time | eval previous_value=coalesce(previous_status, previous_owner, previous_urgency) | eval attribute=case(isnotnull(owner),"owner",isnotnull(urgency),"urgency",isnotnull(status),"status") | eval attribute_val=case(isnotnull(owner),owner,isnotnull(urgency),urgency,isnotnull(status),status) | eval suppression_rules=if(isnotnull(suppression_rule),mvjoin(suppression_rule,", "),"") | eval details=case(action="auto_previous_resolve","Incident resolved by system (because of a new incident)",action="auto_ttl_resolve","Incident resolved by system (TTL reached)",action="create","Incident created",action="change",attribute + " has been changed from '" + previous_value + "' to '" + attribute_val+"'", action="suppress", "Incident suppressed by rules: " + suppression_rule, action="auto_suppress_resolve", "Incident auto-suppressed by rules: " + suppression_rule, action="comment", "Comment added", action="new_subsequent_incident", "New identical incident with incident_id='"+ new_incident_id +"' has been created and automatically resolved.", action="auto_subsequent_resolve", "Incident resolved by system (because of a identical pre-existing incident)") | table _time, user, action, details, comment
... View more