I am using Splunk 6.3.3 with the Alert Manager app (version 2.0.5) for alert distribution. Everything is working as expected except, the results and view links in the email body are incorrect. The splunkweb is running in SSL mode and we also have a load balancer in front of the search head. The links generated in the email body are http instead of https and the hostname is the server name instead of the load balancer cname. I updated the alertactions.conf file under both the /etc/system/local and /etc/apps/alertmanager/local locations by adding the intended hostname value but it didn't make any difference.
Has anyone figured this out?
hostname option in
hostname = [protocol]<host>[:<port>] * Sets the hostname used in the web link (url) sent in alerts. * This value accepts two forms. * hostname examples: splunkserver, splunkserver.example.com * protocol://hostname:port examples: http://splunkserver:8000, https://splunkserver.example.com:443 * When this value is a simple hostname, the protocol and port which are configured within splunk are used to construct the base of the url. * When this value begins with 'http://', it is used verbatim. NOTE: This means the correct port must be specified if it is not the default port for http or https. * This is useful in cases when the Splunk server is not aware of how to construct an externally referenceable url, such as SSO environments, other proxies, or when the Splunk server hostname is not generally resolvable. * Defaults to current hostname provided by the operating system, or if that fails, "localhost". * When set to empty, default behavior is used.
This must be deployed to EVERY Search Head and all Splunk instances there need to be restarted before it will take effect.
Thats exactly what I have done on the search head where the saved searches run. I have restarted the splunk processes as well but it still doesn't work. The results and view links are not constructed using the hostname value I defined in the alert_actions.conf file.