Setup
- For Splunk Cloud Installations follow Splunk Cloud Instructions
- For Splunk Enterprise Installations follow Splunk Enterprise Instructions
- To update AME see here
Splunk Cloud Instructions
Follow these instruction to install and setup AME on Splunk Cloud
AME installation and setup requires sc_admin privileges.
Application installation
- Open
Apps->Find More Apps - Search for Alert Manager Enterprise
- Click on
Installand enter your credentials. - Restart Splunk
- Complete the application setup
Application setup
After the installation the setup interface is opened. The setup will configure a default tenant.
A tenant includes:
- An index (admin-created)
- A KV Store Collection (AME-generated)
- A HEC Collector (admin-created)
- Splunk Roles (AME-generated)
A green bar confirms successful setup. Provide these details:
| Information | Description |
|---|---|
| Index | Index for events (e.g., ame_default; renaming later needs Professional Services) |
| Host | HEC host (hostname only, no protocol like HTTP/HTTPS). See below. |
| Port | HEC port for traffic (default: 443). |
| Token | HEC token for authentication |
| SSL Enabled | Enables HTTPS for HEC submissions (Mandatory for cloud). |
| SSL Verified | Verifies HEC host certificate (recommended) |
| CA Certificate | The Splunk Cloud CA Certificate. |
Create the default tenant index and set up the HEC Token first before finishing the setup.
Choose the index name carefully—renaming requires Professional Services.
In Splunk Cloud, use an sc_admin account to create an index and HEC token. Set the HEC host to the dedicated receiver (port 443, SSL enabled), using only the domain:
- AWS:
http-inputs-yourstackname.splunkcloud.com - GCP:
http-inputs.yourstackname.splunkcloud.com
Optionally, use the the Splunk Cloud Root CA for verification.
Index Creation
See Splunk Docs: Manage Indexes how to create an index.
HEC Setup
See Splunk Docs: HEC Setup. how to set up the HEC Token.
HEC Indexer Acknowledgment is unsupported in Splunk Cloud. See Splunk Docs: HEC IDX Ack.
After the Setup
After the setup, the Setup and Migration page lists required tasks in order.
Application Administrator Role
AME provides an ame.admin role for app management. Assign it to the application owner as a best practice.
See Role Overview for AME role details.
Do not assign ame.admin to untrusted users.
For Splunk Cloud Classic Stack, contact Splunk Support if events don’t appear (CIA-8485).
Troubleshooting
See the Troubleshooting Guide under "The HEC Connection does not work" for health-check steps.
Modifying Settings
Adjust settings via Tenant Settings.
Splunk Enterprise Instructions
Follow these instruction to install and setup AME on Splunk Enterprise
AME installation and setup requires admin privileges.
Splunk Enterprise Deployment Options
Splunk Enterprise (On-Premises) offers multiple AME deployment options using configuration templates.
Enable HEC Indexer Acknowledgment on the receiver token for reliability.
For non-localhost HEC Receivers, configure props.conf to avoid event truncation.
Search Head / Search Head Cluster with Local HTTP Event Collector and Log Forwarding
In this scenario, the Search Head/Search Head Cluster is the local HEC Receiver (localhost).
The Search Head is configured to send its logs to the indexers (outputs.conf).
Search Head / Search Head Cluster with Remote HTTP Event Collector on Heavy Forwarder
In this scenario, the Alert Manager Enterprise app sends data to a remote Heavy Forwarder that acts as a HEC Receiver. The Heavy Forwarder sends its logs to the indexers.
Search Head / Search Head Cluster with HTTP Event Collector on Indexers with Load-Balancer
In this scenario, the Alert Manager Enterprise app sends its data to a load-balancer, which forwards the connection to Indexers with an HEC Receiver configured.
For Load-Balancers, the following HTTP connection settings are supported:
- HTTP/1.1 with a connection header Keep-Alive (Splunk HEC default)
- HTTP/1.1 with a connection header Close
Application installation
Install Alert Manager Enterprise (AME) like any Splunk app on the Search Head via Splunkbase or by deploying to $SPLUNK_HOME/etc/apps.
For Search Head Clusters, use the Deployer to install the app.
On-Premises Search Head Cluster Installation
To install AME on a Search Head Cluster:
- Copy the app to
$SPLUNK_HOME/etc/shcluster/appon the Deployer. - Run
splunk apply shcluster-bundleto deploy. - Complete the application setup.
Application setup
After the installation the setup interface is opened. The setup will configure a default tenant.
A tenant includes:
- An index (admin-created)
- A KV Store Collection (AME-generated)
- A HEC Collector (admin-created)
- Splunk Roles (AME-generated)
A green bar confirms successful setup. Provide these details:
| Information | Description |
|---|---|
| Index | Index for events (e.g., ame_default; renaming later needs Professional Services) |
| Host | HEC host (hostname only, no protocol like HTTP/HTTPS) |
| Port | HEC port for traffic (default: 8088) |
| Token | HEC token for authentication |
| SSL Enabled | Enables HTTPS for HEC submissions (recommended) |
| SSL Verified | Verifies HEC host certificate (recommended) |
| CA Certificate | The CA Certificate of the HEC Receiver |
Create the default tenant index and set up the HEC Token first before finishing the setup.
Choose the index name carefully—renaming requires Professional Services.
Index Creation
Create the default tenant index, e.g. ame_default.
HEC Setup
Set up HEC on your HEC Host (see Deployment options). Create the HEC Token.
After the Setup
After the setup, the Setup and Migration page lists required tasks in order.
New installations must run the AME Setup first. Upgrades may include additional tasks; see Update Page.
Application Administrator Role
AME provides an ame.admin role for app management. Assign it to the application owner as a best practice.
See Role Overview for AME role details.
Do not assign ame.admin to untrusted users.
Testing the HEC Receiver Connection
See the Troubleshooting Guide under "The HEC Connection does not work" for health-check steps.
Modifying Settings
Adjust settings via Tenant Settings.