Index Suffixes
Incident Index Suffix
An index suffix is a string appended to the base name of an incident index.
Example
If you create a prod suffix and use it when creating an incident, incidents will be created in the .smos_incident-prod-<year>.<week_number> index instead of .smos_incident-<year>.<week_number>.
Index suffixes can be used to manage user permissions for different incident groups.
Incident Aggregation Index Suffix
When using a search task with a specified incident suffix in incident aggregation, the suffix will also be applied to the name of the aggregation results index.
Example
When using the aforementioned search task with the prod suffix in incident aggregation, the aggregation results will be created in an index named .sm_incident_aggregation_results-prod instead of .sm_incident_aggregation_results.
You cannot simultaneously use search tasks with different suffixes in incident aggregation. Attempting to: * Add a search task with a different suffix to the aggregation, or Modify the suffix of an already included task will result in an error.
To modify the aggregation suffix when using multiple search tasks, follow this procedure:
- In aggregation settings, keep only one search task by removing all others from the list
- Change the index suffix for all search tasks
- Restore all removed search tasks in the aggregation settings