Index Suffixes
Incident Index Suffix
An index suffix is a string appended to the base name of an incident index.
Example
If you create a prod suffix and use it when creating an incident, incidents will be created in the .smos_incident-prod-<year>.<week_number> index instead of  .smos_incident-<year>.<week_number>.
Index suffixes can be used to manage user permissions for different incident groups.
To ensure the correct operation of the role model when controlling access to incidents from different OpenSearch indices, it is necessary to add the parameter do_not_fail_on_forbidden: true to the configuration file config/opensearch-security/config.yml of the opensearch-security plugin.
_meta:
  type: "config"
  config_version: 2
config:
  dynamic:
    http:
      anonymous_auth_enabled: false
      xff:
        enabled: false
        internalProxies: "192\\.168\\.0\\.10|192\\.168\\.0\\.11"
    do_not_fail_on_forbidden: true
    authc:
      basic_internal_auth_domain:
      ...
To apply the new configuration, you need to run securityadmin.sh. Set your values for OPENSEARCH_NODE and CLUSTER_NAME.
JAVA_HOME=/app/opensearch/jdk/ /app/opensearch/plugins/opensearch-security/tools/securityadmin.sh \
-cacert /app/opensearch/config/ca-cert.pem \
-cert /app/opensearch/config/admin-cert.pem \
-key /app/opensearch/config/admin-key.pem \
--accept-red-cluster --clustername <CLUSTER_NAME> \
-f /app/opensearch/config/opensearch-security/config.yml \
-t config -h <OPENSEARCH_NODE>
Incident Aggregation Index Suffix
When using a search task with a specified incident suffix in incident aggregation, the suffix will also be applied to the name of the aggregation results index.
Example
When using the aforementioned search task with the prod suffix in incident aggregation, the aggregation results will be created in an index named .sm_incident_aggregation_results-prod instead of .sm_incident_aggregation_results.
You cannot simultaneously use search tasks with different suffixes in incident aggregation. Attempting to: * Add a search task with a different suffix to the aggregation, or Modify the suffix of an already included task will result in an error.
To modify the aggregation suffix when using multiple search tasks, follow this procedure:
- In aggregation settings, keep only one search task by removing all others from the list
- Change the index suffix for all search tasks
- Restore all removed search tasks in the aggregation settings