Hello All,
I need your help to write SPL for fetching details of events that occur when users reach or cross the threshold limit defined as per their role for executing Splunk searches.
Any information would be very helpful.
Thank you
Information fetched so far: -
I asked it earlier on a separate forum and got following details from Jason Buxton: -
To get details of roles and and their configurations: -
|rest /services/authorization/roles splunk_server=local
To fetch my details: -
|rest /services/authentication/users splunk_server=local
I got following information from Miachael Camp Bentley: -
index=_internal reason=*
I tried to modify it as: -
index=_internal reason="*quota*"
And I got output with string: - The maximum number of concurrent historical searches for this user based on their role quota has been reached.
Although there were many empty fields, I fetched data from below fields: -
* event_message
* _raw
* reason
* search_id
* splunk_server
* splunk_server_group
However, it would be helpful if you could guide on getting more details related to events and errors along with related attributes which occur when users exceed their search quota.
Thank you