In our email alerts, the $results.url$ link generated by Splunk uses the local SH (which triggered the alert). Is there some way to modify the resulting url so that users get the VIP instead of the local SH?
For example, the URL is https://splunksearchhead1.corp.com:8000/blahblah/sid=12345. I would like the result link to be https://splunk.corp.com/blahblah/sid=12345.
A very simple solution is -
go to any of the SH's settings> server settings> email setting>
define here : "Link Hostname" . put your load balancer's URL here with protocol and port.
This will solve the issue.
Under the hood, this will add the below in system local of each of the clustered SH in alert_actions.conf