All Apps and Add-ons

Missing "Update monitored list from REST" saved search

Path Finder

I installed Fire Brigade on my search head using the web GUI and pushed out the TA Fire Brigade to my indexers using my deployment server.

But, I don't see "Update monitored list from REST" in my saved searches. I wanted to manually run that so I can get rid of the "The lookup table 'monitored_indexes.csv' is invalid." error.

Did I do something wrong? I'm on 6.0.3.

Tags (1)
0 Karma


FYI, Fire Brigade version 2 will no longer be updated (latest version is 2.0.3). The newer versions 2.0.4 and higher will now be available with the original “Fire Brigade” app on Splunkbase which was just updated to support Splunk 6.3. This is noted on the page for Fire Brigade on Splunkbase:

If you have any questions, ping the developer of the app @sowings


0 Karma


fire_brigade v2 does not have "Update monitor list from REST" saved search. fire_brigade v1 has this particular saved search. Either case requires some adjustments especially if you have distributed / clustered environment with multiple indexers (peers).

The rest API /services/data/indexes does not allow multiple peer hosts as valid entries. So you would need to run on each indexers, then append the results, dedup it and save it as csv file. Since clustered, there should not be any deviation in indexes present in one versus another peers; however why leave it to chance.

Create a saved search "Update monitor list from REST" in the context of fire brigade app, save it and have it scheduled to run in some cycle (monthly, weekly, or daily ... go nuts).

Below is how I did it in our environment. I have 10 peers, so run rest API against each indexers, then append the results, then due some filter, dedup, then save as csv as expected by fire brigade app.

| rest /services/data/indexes splunk_server=idx01 count=0 |
append [| rest /services/data/indexes splunk_server=idx02 count=0 ] |
append [| rest /services/data/indexes splunk_server=idx03 count=0 ] |
append [| rest /services/data/indexes splunk_server=idx04 count=0 ] |
append [| rest /services/data/indexes splunk_server=idx05 count=0 ] |
append [| rest /services/data/indexes splunk_server=idx06 count=0 ] |
append [| rest /services/data/indexes splunk_server=idx07 count=0 ] |
append [| rest /services/data/indexes splunk_server=idx08 count=0 ] |
append [| rest /services/data/indexes splunk_server=idx09 count=0 ] |
append [| rest /services/data/indexes splunk_server=idx10 count=0 ] |
search disabled=0 title!=_blocksignature title!=_thefishbucket | rename title AS index | fields index | dedup index | outputlookup monitored_indexes.csv

Hope this helps others in upgrading fire brigade (very useful app... but Splunk being Splunk often makes assumptions that is not always true)...

Get Updates on the Splunk Community!

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Reimagine what you can do with your dashboards. Dashboard Studio is Splunk’s newest dashboard builder to ...

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...