Splunk Search

No search history on MacOSX

BDein
Explorer

Hi Everyone,

I'm running Splunk Enterprise 8.2.2.1 on my MacOS (Big Sur), and it runs quite well, except that there is no search history available using a user id with admin role.

But from the CLI in: etc/users/bd/search/history

There is actually a file called <hostname>.idx.csv which holds all my history.

1. Can anyone please explain what's going on here?

PS. I have 5 instances running on my Mac (A combined SH/IDX, DPL, HFWD, and 2 UF's), and it all works nice together. The difference is that I have an internal created user on the SH (the one with no history above), but on IE the HFWD I use the user "splunk" (this user also runs all the instances on OS level) to log in with, and here history work just fine.

2. There is gotta be a missing link, but which?

Cheers,

Bjarne

Labels (1)
Tags (3)
0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust

Hi

this is quite interesting and seems to be some kind of bug?

I just tested with macOS 11.6.2, Safari Version 15.2 (16612.3.6.1.8, 16612) and Splunk 8.2.4 (

87e2dda940d1 dmg version) with several accounts and it seems to work weird.

  1. separate aa_admin => didn't work
  2. aa_user => works
  3. admin => works
  4. again with aa_admin => works (but only from last SPLs on step 1, not all which I can see on history)

I propose that you should do a support case for this.

r. Ismo

View solution in original post

0 Karma

BDein
Explorer

Hi @isoutamo ,

Thanks for your fast reply, it looks weird to me as well - so thanks for confirming.

/Bjarne

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

this is quite interesting and seems to be some kind of bug?

I just tested with macOS 11.6.2, Safari Version 15.2 (16612.3.6.1.8, 16612) and Splunk 8.2.4 (

87e2dda940d1 dmg version) with several accounts and it seems to work weird.

  1. separate aa_admin => didn't work
  2. aa_user => works
  3. admin => works
  4. again with aa_admin => works (but only from last SPLs on step 1, not all which I can see on history)

I propose that you should do a support case for this.

r. Ismo

0 Karma
Get Updates on the Splunk Community!

Splunk Community Platform Survey

Hey Splunk Community, Starting today, the community platform may prompt you to participate in a survey. The ...

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...

Avoid Certificate Expiry Issues in Splunk Enterprise with Certificate Assist

This blog post is part 2 of 4 of a series on Splunk Assist. Click the links below to see the other ...