- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SplunkExplorer
Contributor
07-16-2024
06:09 AM
Hi Splunkers, I have a doubt about a specific Splunk Alert triggered actions: the log event one.
From doc I can see, on the end:
"You must also define the destination index on both the search head and the indexers. "
Does it means that, even if I am in a distributed environments, I must created index used to save alerts on both Indexers and search heads?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

richgalloway

SplunkTrust
07-16-2024
06:31 AM
Yes, especially in distributed environments, the search head must be aware of the index. No storage needs to be created, however. The SH merely needs to know the index exists.
---
If this reply helps you, Karma would be appreciated.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

richgalloway

SplunkTrust
07-16-2024
06:31 AM
Yes, especially in distributed environments, the search head must be aware of the index. No storage needs to be created, however. The SH merely needs to know the index exists.
---
If this reply helps you, Karma would be appreciated.
If this reply helps you, Karma would be appreciated.
