Splunk Search

No search history on MacOSX

BDein
Explorer

Hi Everyone,

I'm running Splunk Enterprise 8.2.2.1 on my MacOS (Big Sur), and it runs quite well, except that there is no search history available using a user id with admin role.

But from the CLI in: etc/users/bd/search/history

There is actually a file called <hostname>.idx.csv which holds all my history.

1. Can anyone please explain what's going on here?

PS. I have 5 instances running on my Mac (A combined SH/IDX, DPL, HFWD, and 2 UF's), and it all works nice together. The difference is that I have an internal created user on the SH (the one with no history above), but on IE the HFWD I use the user "splunk" (this user also runs all the instances on OS level) to log in with, and here history work just fine.

2. There is gotta be a missing link, but which?

Cheers,

Bjarne

Labels (1)
Tags (3)
0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust

Hi

this is quite interesting and seems to be some kind of bug?

I just tested with macOS 11.6.2, Safari Version 15.2 (16612.3.6.1.8, 16612) and Splunk 8.2.4 (

87e2dda940d1 dmg version) with several accounts and it seems to work weird.

  1. separate aa_admin => didn't work
  2. aa_user => works
  3. admin => works
  4. again with aa_admin => works (but only from last SPLs on step 1, not all which I can see on history)

I propose that you should do a support case for this.

r. Ismo

View solution in original post

0 Karma

BDein
Explorer

Hi @isoutamo ,

Thanks for your fast reply, it looks weird to me as well - so thanks for confirming.

/Bjarne

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

this is quite interesting and seems to be some kind of bug?

I just tested with macOS 11.6.2, Safari Version 15.2 (16612.3.6.1.8, 16612) and Splunk 8.2.4 (

87e2dda940d1 dmg version) with several accounts and it seems to work weird.

  1. separate aa_admin => didn't work
  2. aa_user => works
  3. admin => works
  4. again with aa_admin => works (but only from last SPLs on step 1, not all which I can see on history)

I propose that you should do a support case for this.

r. Ismo

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...