Splunk Search

No search history on MacOSX

BDein
Explorer

Hi Everyone,

I'm running Splunk Enterprise 8.2.2.1 on my MacOS (Big Sur), and it runs quite well, except that there is no search history available using a user id with admin role.

But from the CLI in: etc/users/bd/search/history

There is actually a file called <hostname>.idx.csv which holds all my history.

1. Can anyone please explain what's going on here?

PS. I have 5 instances running on my Mac (A combined SH/IDX, DPL, HFWD, and 2 UF's), and it all works nice together. The difference is that I have an internal created user on the SH (the one with no history above), but on IE the HFWD I use the user "splunk" (this user also runs all the instances on OS level) to log in with, and here history work just fine.

2. There is gotta be a missing link, but which?

Cheers,

Bjarne

Labels (1)
Tags (3)
0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust

Hi

this is quite interesting and seems to be some kind of bug?

I just tested with macOS 11.6.2, Safari Version 15.2 (16612.3.6.1.8, 16612) and Splunk 8.2.4 (

87e2dda940d1 dmg version) with several accounts and it seems to work weird.

  1. separate aa_admin => didn't work
  2. aa_user => works
  3. admin => works
  4. again with aa_admin => works (but only from last SPLs on step 1, not all which I can see on history)

I propose that you should do a support case for this.

r. Ismo

View solution in original post

0 Karma

BDein
Explorer

Hi @isoutamo ,

Thanks for your fast reply, it looks weird to me as well - so thanks for confirming.

/Bjarne

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

this is quite interesting and seems to be some kind of bug?

I just tested with macOS 11.6.2, Safari Version 15.2 (16612.3.6.1.8, 16612) and Splunk 8.2.4 (

87e2dda940d1 dmg version) with several accounts and it seems to work weird.

  1. separate aa_admin => didn't work
  2. aa_user => works
  3. admin => works
  4. again with aa_admin => works (but only from last SPLs on step 1, not all which I can see on history)

I propose that you should do a support case for this.

r. Ismo

0 Karma
Get Updates on the Splunk Community!

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...

Splunk and Fraud

Watch Now!Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the ...