Splunk IT Service Intelligence

Missing index firedalerts (used by app DA-ITSI-CP-unix-dashboards)

corti77
Communicator

After the installation of IT Essential Works, I started to received the following alert

 

Received event for unconfigured/disabled/deleted index=firedalerts with source="source::fired_alerts" host="host::XXXXXXXXXX" sourcetype="sourcetype::stash". So far received events from 1 missing index(es).

 

I decided to created the index manually and after a day I saw a few events coming in and digging a bit I found out that they seem to come from the saved search called fired_alerts that is part of the App DA-ITSI-CP-unix-dashboards, which I don't have it enabled. (!). I only enabled the Exchange content.

corti77_1-1629451302518.png

which query is

 

| rest /services/search/jobs | search [search index=_audit action=alert_fired | fields sid] | collect index=firedalerts

 

is this normal? why the index was not created automatically by ITSI?

Labels (3)

linhmai_bne
Path Finder

- SSH to search head.

- Go to app folder location .../etc/app/<name>/default

- Open savedsearches.conf

- Copy search query using that index

- Add that search savedsearches.conf in ../etc/app/<name>/local

- Add disabled = 1

- Restart

That is how I solved it by disabling the search query.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...