Missing index firedalerts (used by app DA-ITSI-CP-...

corti77 · ‎08-20-2021

After the installation of IT Essential Works, I started to received the following alert

Received event for unconfigured/disabled/deleted index=firedalerts with source="source::fired_alerts" host="host::XXXXXXXXXX" sourcetype="sourcetype::stash". So far received events from 1 missing index(es).

I decided to created the index manually and after a day I saw a few events coming in and digging a bit I found out that they seem to come from the saved search called fired_alerts that is part of the App DA-ITSI-CP-unix-dashboards, which I don't have it enabled. (!). I only enabled the Exchange content.

which query is

| rest /services/search/jobs | search [search index=_audit action=alert_fired | fields sid] | collect index=firedalerts

is this normal? why the index was not created automatically by ITSI?

linhmai_bne · ‎12-07-2021

- SSH to search head.

- Go to app folder location .../etc/app/<name>/default

- Open savedsearches.conf

- Copy search query using that index

- Add that search savedsearches.conf in ../etc/app/<name>/local

- Add disabled = 1

- Restart

That is how I solved it by disabling the search query.

Missing index firedalerts (used by app DA-ITSI-CP-unix-dashboards)

installation

troubleshooting

using ITSI

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?