All Apps and Add-ons

How to limit the index that Alert Manager searches by default?

Path Finder

I have a Splunk/Hunk installation with both local indexes and virtual indexes configured. My user role requires access to both the local and virtual indexes. This means that configuring a user role that doesn't have access to "_non-internal_indexes" isn't an option.

Is there a way to configure Alert Manager to only use the local index as a searchProvider? It's taking a long time to retrieve search results in the dashboard because of the nature of mapreduce and Hadoop.


0 Karma


Easiest way is to create an eventtypes.conf in $SPLUNK_HOME/etc/apps/TA-alert_manager/local
and update the eventtypes used by the app:

search = index=yourindex sourcetype=alert_metadata    

search = index=yourindex sourcetype=alert_results

search = index=yourindex sourcetype=incident_change

For certification reasons, the index constraint hat to be removed. However, I think this is still a big need and will introduce it in a future version again.

Path Finder

Thanks for the information! I added the eventtypes.conf file and the dashboard models were still searching the non-internal indexes by default. Curious, what exactly is the eventtypes.conf settings in TA-alert_manager doing?

The solution I've arrived at is to actually modify the Alert Manager data models under $SPLUNK_HOME/etc/apps/alert_manager/local/data/models/alert_manager.json and append "index=myindex" to the beginning of the search query.

0 Karma
Get Updates on the Splunk Community!

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

Observability Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestSplunk APM's New Tag Filter ExperienceSplunk APM has updated ...

Security Newsletter Updates | March 2023

 March 2023 | Check out the latest and greatestUnify Your Security Operations with Splunk Mission Control The ...