All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to limit the index that Alert Manager searches by default?

eangeles
Path Finder
‎11-08-2016 07:42 PM

I have a Splunk/Hunk installation with both local indexes and virtual indexes configured. My user role requires access to both the local and virtual indexes. This means that configuring a user role that doesn't have access to "_non-internal_indexes" isn't an option.

Is there a way to configure Alert Manager to only use the local index as a searchProvider? It's taking a long time to retrieve search results in the dashboard because of the nature of mapreduce and Hadoop.

Thanks!

0 Karma
Reply

Simon
Contributor
‎11-08-2016 11:06 PM

Easiest way is to create an eventtypes.conf in $SPLUNK_HOME/etc/apps/TA-alert_manager/local
and update the eventtypes used by the app:

[alert_metadata]
search = index=yourindex sourcetype=alert_metadata    

[alert_results]
search = index=yourindex sourcetype=alert_results

[incident_change]
search = index=yourindex sourcetype=incident_change

For certification reasons, the index constraint hat to be removed. However, I think this is still a big need and will introduce it in a future version again.

Reply

eangeles
Path Finder
‎11-09-2016 12:45 PM

Thanks for the information! I added the eventtypes.conf file and the dashboard models were still searching the non-internal indexes by default. Curious, what exactly is the eventtypes.conf settings in TA-alert_manager doing?

The solution I've arrived at is to actually modify the Alert Manager data models under $SPLUNK_HOME/etc/apps/alert_manager/local/data/models/alert_manager.json and append "index=myindex" to the beginning of the search query.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...

Secure Your Future: Mastering Upgrade Readiness for Splunk 10

Spotlight: The Splunk Health Assistant Add-On  The Splunk Health Assistant Add-On is your ultimate companion ...

Observability Unlocked: Kubernetes & Cloud Monitoring with Splunk IM

Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team on ...