All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to limit the index that Alert Manager searches by default?

eangeles
Path Finder
‎11-08-2016 07:42 PM

I have a Splunk/Hunk installation with both local indexes and virtual indexes configured. My user role requires access to both the local and virtual indexes. This means that configuring a user role that doesn't have access to "_non-internal_indexes" isn't an option.

Is there a way to configure Alert Manager to only use the local index as a searchProvider? It's taking a long time to retrieve search results in the dashboard because of the nature of mapreduce and Hadoop.

Thanks!

0 Karma
Reply

Simon
Contributor
‎11-08-2016 11:06 PM

Easiest way is to create an eventtypes.conf in $SPLUNK_HOME/etc/apps/TA-alert_manager/local
and update the eventtypes used by the app:

[alert_metadata]
search = index=yourindex sourcetype=alert_metadata    

[alert_results]
search = index=yourindex sourcetype=alert_results

[incident_change]
search = index=yourindex sourcetype=incident_change

For certification reasons, the index constraint hat to be removed. However, I think this is still a big need and will introduce it in a future version again.

Reply

eangeles
Path Finder
‎11-09-2016 12:45 PM

Thanks for the information! I added the eventtypes.conf file and the dashboard models were still searching the non-internal indexes by default. Curious, what exactly is the eventtypes.conf settings in TA-alert_manager doing?

The solution I've arrived at is to actually modify the Alert Manager data models under $SPLUNK_HOME/etc/apps/alert_manager/local/data/models/alert_manager.json and append "index=myindex" to the beginning of the search query.

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...