I am configuring the Cisco AMP for Endpoints input on our IDM instance.  When creating the input I am not able to specify the desired index for the data to go into.  My only options are main, summary, and history.  How do I specify my index? ... View more

Users have been complaining they were not getting email alerts.  While troubleshooting this issue I noticed the alerts were also not being written to the triggered alerts area even though that action is selected in the alert.  I am able to send email notifications using this SPL:  index=_internal | stats count by host | top 1 host | sendemail to="[email protected]" sendresults=true To help troubleshoot this some more I created a very simple alert with this SPL: index=_internal | stats count by host     The search is set to lookup back 15 minutes and the CRON schedule is set for * * * * * to run every minute.  The action for this alert is just to add the event to the Triggered Alerts if results > 0.  This search definitely returns results but the alert actions don't seem to be triggering.  Any help would be appreciated. ... View more