Skip to main content
Version: 5.3

Index Suffixes

Incident Index Suffix

An index suffix is a string appended to the base name of an incident index.

Example

If you create a prod suffix and use it when creating an incident, incidents will be created in the .smos_incident-prod-<year>.<week_number> index instead of .smos_incident-<year>.<week_number>.

tip

Index suffixes can be used to manage user permissions for different incident groups.

warning

To ensure the correct operation of the role model when controlling access to incidents from different OpenSearch indices, it is necessary to add the parameter do_not_fail_on_forbidden: true to the configuration file config/opensearch-security/config.yml of the opensearch-security plugin.

_meta:
  type: "config"
  config_version: 2
config:
  dynamic:
    http:
      anonymous_auth_enabled: false
      xff:
        enabled: false
        internalProxies: "192\\.168\\.0\\.10|192\\.168\\.0\\.11"
    do_not_fail_on_forbidden: true
    authc:
      basic_internal_auth_domain:
      ...

To apply the new configuration, you need to run securityadmin.sh. Set your values for OPENSEARCH_NODE and CLUSTER_NAME.

JAVA_HOME=/app/opensearch/jdk/ /app/opensearch/plugins/opensearch-security/tools/securityadmin.sh \
-cacert /app/opensearch/config/ca-cert.pem \
-cert /app/opensearch/config/admin-cert.pem \
-key /app/opensearch/config/admin-key.pem \
--accept-red-cluster --clustername <CLUSTER_NAME> \
-f /app/opensearch/config/opensearch-security/config.yml \
-t config -h <OPENSEARCH_NODE>

Incident Aggregation Index Suffix

When using a search job with a specified incident suffix in incident aggregation, the suffix will also be applied to the name of the aggregation results index.

Example

When using the aforementioned search job with the prod suffix in incident aggregation, the aggregation results will be created in an index named .sm_incident_aggregation_results-prod instead of .sm_incident_aggregation_results.

danger

You cannot simultaneously use search jobs with different suffixes in incident aggregation. Attempting to: Add a search job with a different suffix to the aggregation, or Modify the suffix of an already included task will result in an error.

Changing Aggregation Suffix When Using Multiple Search Tasks

To modify the aggregation suffix when using multiple search jobs, follow this procedure:

  1. In aggregation settings, keep only one search job by removing all others from the list
  2. Change the index suffix for all search jobs
  3. Restore all removed search jobs in the aggregation settings