All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to limit the index that Alert Manager searches by default?

eangeles
Path Finder
‎11-08-2016 07:42 PM

I have a Splunk/Hunk installation with both local indexes and virtual indexes configured. My user role requires access to both the local and virtual indexes. This means that configuring a user role that doesn't have access to "_non-internal_indexes" isn't an option.

Is there a way to configure Alert Manager to only use the local index as a searchProvider? It's taking a long time to retrieve search results in the dashboard because of the nature of mapreduce and Hadoop.

Thanks!

0 Karma
Reply

Simon
Contributor
‎11-08-2016 11:06 PM

Easiest way is to create an eventtypes.conf in $SPLUNK_HOME/etc/apps/TA-alert_manager/local
and update the eventtypes used by the app:

[alert_metadata]
search = index=yourindex sourcetype=alert_metadata    

[alert_results]
search = index=yourindex sourcetype=alert_results

[incident_change]
search = index=yourindex sourcetype=incident_change

For certification reasons, the index constraint hat to be removed. However, I think this is still a big need and will introduce it in a future version again.

Reply

eangeles
Path Finder
‎11-09-2016 12:45 PM

Thanks for the information! I added the eventtypes.conf file and the dashboard models were still searching the non-internal indexes by default. Curious, what exactly is the eventtypes.conf settings in TA-alert_manager doing?

The solution I've arrived at is to actually modify the Alert Manager data models under $SPLUNK_HOME/etc/apps/alert_manager/local/data/models/alert_manager.json and append "index=myindex" to the beginning of the search query.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...