Hello,
I have an alert which writes in the summary index everytime the alert runs and trigger an alert via email when the condition is met.
Example
index........|table a,b,c,d,e | collect index=summary |search a>1
I want all the fields a,b,c,d,e in the summary index and only a,b,c fields in the trigerred alert results?
Is it possible ??
2) Can we get a list of indexes by app?
For the first question, yes - and you are almost all the way there already!
index........|table a,b,c,d,e | collect index=summary | fields a b c |search a>1
That will send into the summary index the events still containing fields {a,b,c,d,e} but will pare it down to fields {a,b,c} before triggering the alert. So if you put that search into an alert that is emailed, you should get what you're looking for.
As for the second question, I'm not sure I understand well enough to help. Maybe you could expand on it?
For the first question, yes - and you are almost all the way there already!
index........|table a,b,c,d,e | collect index=summary | fields a b c |search a>1
That will send into the summary index the events still containing fields {a,b,c,d,e} but will pare it down to fields {a,b,c} before triggering the alert. So if you put that search into an alert that is emailed, you should get what you're looking for.
As for the second question, I'm not sure I understand well enough to help. Maybe you could expand on it?
Thank you @ elliotproebstel for the reply and it working fine.Thanks a lot
The second question - I am trying to get the list of indexes by app name like
search-index1,index2,index3
abc-index4,index2,index8
So I am trying the get the indexes for each app
I have tried the below query
| rest /services/data/indexes
|fields defaultDatabase, "eai:acl.app"
|rename defaultDatabase AS index, "eai:acl.app" AS App_Name
but was not succesfull
I don't think I can help with this question, sorry. To the best of my knowledge, index availability isn't partitioned by app. You can set access controls by user/role under Settings > Access Controls
, but any user who has access to index1 will be able to search index1 from any app to which they have access.