Tenants
Tenants in Alert Manager Enterprise (AME) isolate events, knowledge objects, and configurations using role-based access control (RBAC).
Creating additional tenants requires the Multi-Tenancy Feature Pack. See Licensing and Support.
Each tenant includes a dedicated Splunk index, a KV Store collection, and associated roles. During installation, AME creates a default tenant with the ame_default index, the ame_default_events collection, and specific roles outlined below.
Tenant Roles
Users interact with tenants based on their assigned roles. The table below lists the roles, their purposes, and access levels:
| Role | Purpose | Access Level |
|---|---|---|
ame.admin | Manage all tenants and configurations | Full access to all tenants, edit objects, assign events |
ame.default.power | Enhanced access for default tenant | Manage events within default tenant |
ame.default.user | Basic access for default tenant | View and interact with events in default tenant |
ame.<tenant>.admin | Manage a specific tenant | Full access to the specified tenant |
ame.<tenant>.power | Enhanced access for a specific tenant | Manage events within the specified tenant |
ame.<tenant>.user | Basic access for a specific tenant | View and interact with events in the specified tenant |
admin | Splunk admin with full AME control | Full access to all tenants, edit objects, assign events |
sc_admin | Splunk Cloud admin with full AME control | Full access to all tenants, edit objects, assign events |
Users with Splunk Admin (admin, sc_admin) or ame.admin roles can add tenants if a valid multi-tenancy license is active and have unrestricted access across all tenants. Tenant-specific roles (ame.<tenant>.admin, ame.<tenant>.power, ame.<tenant>.user) are optional and restrict access to their designated tenant; without one, a user’s name won’t appear in tenant dropdowns.
See Role Overview for permissions required to manage tenants.
Managing Tenants
The Tenant Management UI is shown below:
Only Splunk admins or users with the ame.admin role can access and use this page.
Manage tenants with these buttons:
| Button | Function |
|---|---|
 | Add Tenant |
 | Save Tenant |
 | Delete Tenant |
Adding a Tenant
Requires a valid multi-tenancy license.
To create a tenant for event generation:
- Click
Add Tenantat the bottom of the list. - Enter a tenant name (editable later).
- Select roles to create for this tenant.
- Set a unique identifier (
tenant_uid) for data and permission mapping—no spaces, dots, colons, semicolons, or brackets allowed.
The unique identifier (tenant_uid) cannot be changed after creation.
- Define the index name (e.g.,
ame_<uid>recommended; changes later require commercial support). - Specify the HTTP Event Collector (HEC) host (default:
localhost). - Set the HEC port (default:
8088). - Provide the HEC token (must match the receiver host’s token).
- Enable SSL/TLS and certificate verification for enhanced security (recommended).
- If using certificate verification, supply the
cacertof the signing certificate for the HEC host. - Configure event retention settings (see below).
- Finalize creation:
- As
ame.admin: ClickCreateto set up the tenant entry and event collection (index and roles require manual configuration). - As Splunk admin or with
admin_all_objectsrole: ClickInitializeto create the tenant, roles, and event collection, then deploy the index template on indexers.
- As
Event Retention
Event retention determines how long events persist in the tenant’s KV Store collection after their last append operation. Set Event Retention [days] to a number (e.g., 0 for indefinite retention) and choose Event Retention Scope as Done only (applies to completed events) or All (applies to all events). This allows you to balance storage use with data access needs, tailoring retention to your operational requirements.
It’s recommended to match the event retention time with the Splunk index retention time. Mismatched settings may cause events to become inaccessible in the index while still existing in the KV Store collection, leading to data inconsistencies.
Status indicators reflect HEC connection health (see Health Check Dashboard for details):
| Status | Indicator |
|---|---|
| Healthy |  |
| Unhealthy |  |
For on-premises testing with default Splunk certificates, use $SPLUNK_HOME/etc/auth/cacert.pem (not recommended for production).
Updating or Deleting a Tenant
To update a tenant:
- Edit the tenant details.
- Click
Save Tenantin the upper-right corner.
To delete a tenant:
- Open the tenant.
- Click
Delete Tenantnext toSave Tenantin the upper-right corner.
Showing Configuration Templates
Enable the Splunk Configuration Template slider to view Splunk configuration templates for the tenant.
Sending a Test Event
Test the tenant configuration by clicking Send Test Event.