Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

No search history on MacOSX

BDein
Explorer
‎12-27-2021 01:12 PM

Hi Everyone,

I'm running Splunk Enterprise 8.2.2.1 on my MacOS (Big Sur), and it runs quite well, except that there is no search history available using a user id with admin role.

But from the CLI in: etc/users/bd/search/history

There is actually a file called <hostname>.idx.csv which holds all my history.

1. Can anyone please explain what's going on here?

PS. I have 5 instances running on my Mac (A combined SH/IDX, DPL, HFWD, and 2 UF's), and it all works nice together. The difference is that I have an internal created user on the SH (the one with no history above), but on IE the HFWD I use the user "splunk" (this user also runs all the instances on OS level) to log in with, and here history work just fine.

2. There is gotta be a missing link, but which?

Cheers,

Bjarne

Labels (1)
Labels
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎12-28-2021 01:43 AM

Hi

this is quite interesting and seems to be some kind of bug?

I just tested with macOS 11.6.2, Safari Version 15.2 (16612.3.6.1.8, 16612) and Splunk 8.2.4 (

87e2dda940d1 dmg version) with several accounts and it seems to work weird.

  1. separate aa_admin => didn't work
  2. aa_user => works
  3. admin => works
  4. again with aa_admin => works (but only from last SPLs on step 1, not all which I can see on history)

I propose that you should do a support case for this.

r. Ismo

View solution in original post

0 Karma
Reply
Solved! Jump to solution

BDein
Explorer
‎12-28-2021 01:49 AM

Hi @isoutamo ,

Thanks for your fast reply, it looks weird to me as well - so thanks for confirming.

/Bjarne

0 Karma
Reply
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎12-28-2021 01:43 AM

Hi

this is quite interesting and seems to be some kind of bug?

I just tested with macOS 11.6.2, Safari Version 15.2 (16612.3.6.1.8, 16612) and Splunk 8.2.4 (

87e2dda940d1 dmg version) with several accounts and it seems to work weird.

  1. separate aa_admin => didn't work
  2. aa_user => works
  3. admin => works
  4. again with aa_admin => works (but only from last SPLs on step 1, not all which I can see on history)

I propose that you should do a support case for this.

r. Ismo

0 Karma
Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...