Splunk ITSI
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Missing index firedalerts (used by app DA-ITSI-CP-unix-dashboards)

corti77
Contributor
‎08-20-2021 02:24 AM

After the installation of IT Essential Works, I started to received the following alert

 

Received event for unconfigured/disabled/deleted index=firedalerts with source="source::fired_alerts" host="host::XXXXXXXXXX" sourcetype="sourcetype::stash". So far received events from 1 missing index(es).

 

I decided to created the index manually and after a day I saw a few events coming in and digging a bit I found out that they seem to come from the saved search called fired_alerts that is part of the App DA-ITSI-CP-unix-dashboards, which I don't have it enabled. (!). I only enabled the Exchange content.

corti77_1-1629451302518.png

which query is

 

| rest /services/search/jobs | search [search index=_audit action=alert_fired | fields sid] | collect index=firedalerts

 

is this normal? why the index was not created automatically by ITSI?

Labels (3)
Reply

linhmai_bne
Path Finder
‎12-07-2021 08:05 PM

- SSH to search head.

- Go to app folder location .../etc/app/<name>/default

- Open savedsearches.conf

- Copy search query using that index

- Add that search savedsearches.conf in ../etc/app/<name>/local

- Add disabled = 1

- Restart

That is how I solved it by disabling the search query.

0 Karma
Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...
Top