All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to limit the index that Alert Manager searches by default?

eangeles
Path Finder
‎11-08-2016 07:42 PM

I have a Splunk/Hunk installation with both local indexes and virtual indexes configured. My user role requires access to both the local and virtual indexes. This means that configuring a user role that doesn't have access to "_non-internal_indexes" isn't an option.

Is there a way to configure Alert Manager to only use the local index as a searchProvider? It's taking a long time to retrieve search results in the dashboard because of the nature of mapreduce and Hadoop.

Thanks!

0 Karma
Reply

Simon
Contributor
‎11-08-2016 11:06 PM

Easiest way is to create an eventtypes.conf in $SPLUNK_HOME/etc/apps/TA-alert_manager/local
and update the eventtypes used by the app:

[alert_metadata]
search = index=yourindex sourcetype=alert_metadata    

[alert_results]
search = index=yourindex sourcetype=alert_results

[incident_change]
search = index=yourindex sourcetype=incident_change

For certification reasons, the index constraint hat to be removed. However, I think this is still a big need and will introduce it in a future version again.

Reply

eangeles
Path Finder
‎11-09-2016 12:45 PM

Thanks for the information! I added the eventtypes.conf file and the dashboard models were still searching the non-internal indexes by default. Curious, what exactly is the eventtypes.conf settings in TA-alert_manager doing?

The solution I've arrived at is to actually modify the Alert Manager data models under $SPLUNK_HOME/etc/apps/alert_manager/local/data/models/alert_manager.json and append "index=myindex" to the beginning of the search query.

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...