All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

@m_zandinia  Great. It’s good to know that changing the report’s permissions fixed the issue. 
Thanks @kiran_panchavat  I did read that page, but probably not carefully enough the first time. After reviewing the known issue more closely, I tested a potential workaround: If the user changes ... See more...
Thanks @kiran_panchavat  I did read that page, but probably not carefully enough the first time. After reviewing the known issue more closely, I tested a potential workaround: If the user changes the report’s permissions to allow read access for everyone, they are then able to delete the report. According to the known issue, users cannot delete private reports. So I thought maybe they can delete public reports—and that turned out to be correct in my case.  
Have you installed IA and TA as well?
@qq-stan Recently we have integrated SentinelOne with Splunk, we installed SentinelOne app on the SH https://splunkbase.splunk.com/app/5433  & configured the data inputs directly on the search head. ... See more...
@qq-stan Recently we have integrated SentinelOne with Splunk, we installed SentinelOne app on the SH https://splunkbase.splunk.com/app/5433  & configured the data inputs directly on the search head. However, in a clustered environment, it is recommended to configure the data inputs on a heavy forwarder and install the SentinelOne app on the search heads for dashboards and visualization.  
Thank you for the response. Unfortunately doesn't answer to my specific question.
@qq-stan  https://splunkbase.splunk.com/app/6056 - This is for SOAR on-prem/SOAR cloud not for Splunk Enterprise.  Check out Splunk base: https://splunkbase.splunk.com/app/5433 Note: Installing t... See more...
@qq-stan  https://splunkbase.splunk.com/app/6056 - This is for SOAR on-prem/SOAR cloud not for Splunk Enterprise.  Check out Splunk base: https://splunkbase.splunk.com/app/5433 Note: Installing the SentinelOne TA or IA on the same node as the App may result in instability or errors   Don't configure the inputs in all three instances, If you have heavy forwarder create the data inputs on that. 
So this app has three parts IA, TA, and main App itself. Installed IA on a forwarder, TA on the Cluster Master, and App - on the search head. All three have API configuration options. So where we ent... See more...
So this app has three parts IA, TA, and main App itself. Installed IA on a forwarder, TA on the Cluster Master, and App - on the search head. All three have API configuration options. So where we enter API settings? I hardly imagine entering on all three.
@xiyangyang  The Splunk Universal Forwarder (UF) for Linux does not explicitly use eBPF or other kernel hook technologies as part of its core functionality for log collection and forwarding. The Uni... See more...
@xiyangyang  The Splunk Universal Forwarder (UF) for Linux does not explicitly use eBPF or other kernel hook technologies as part of its core functionality for log collection and forwarding. The Universal Forwarder is designed to be a lightweight agent that collects logs and forwards them to a Splunk indexer or heavy forwarder.   While Splunk has shown interest in eBPF for observability in other contexts—such as contributing to OpenTelemetry and developing the Flowmill Collector—these advancements are not integrated into the Universal Forwarder.  https://www.splunk.com/en_us/blog/learn/what-is-ebpf.html 
Does Linux universal forwarder use kernel hook technology? Such as eBPF? The forwarder version is  8.2.1.
Hello everyone, We have a distributed deployment of Splunk Enterprise with 3 indexers. Recently, it has been raising Detecting bucket ID conflicts warnings:   So far I have tried : https:/... See more...
Hello everyone, We have a distributed deployment of Splunk Enterprise with 3 indexers. Recently, it has been raising Detecting bucket ID conflicts warnings:   So far I have tried : https://community.splunk.com/t5/Splunk-Enterprise/Why-are-we-encountering-an-issue-after-a-data-migration-with/m-p/567695 https://splunk.my.site.com/customer/s/article/ERROR-Detecting-bucket-ID-conflicts   Tried renaming the conflicting bucket, moving DISABLED buckets out, combining these options and separately.  The warning is raised when a rolling restart is executed. When it is resolved on one indexer, at next rolling restart it is raised on the next indexer and so on in circles.   Please, advise.
@yuanliu Actually the event display type is perfectly fine if the OP wants it - it has very different behaviour to table - and <event> does support a table mode, but it does appear that conditional s... See more...
@yuanliu Actually the event display type is perfectly fine if the OP wants it - it has very different behaviour to table - and <event> does support a table mode, but it does appear that conditional specific drilldown does not work as the OP describes - using table and fields command gives different behaviour - I did recreate his behaviour where conditional drilldown does NOT work on the Channel field despite it being visible, but cannot reproduce it. For example, if using the table command in the SPL, if you create any fields AFTER that statement, those fields do not seem to appear in the event table, whereas if you set them before the table command, it shows that column in the table, whereas using the fields command in SPL it makes no difference. @lcguilfoil I don't have a specific answer, but if you can click on the magnifying class of the event listing so that it opens up the real search in a new window and post that here, that would be useful - you did not post your entire search - not the one in the XML, but the real search as it runs after all the tokens are set.  
Can you ask that they try to delete those by REST api if they have access to it? Ok, @kiran_panchavat has found from release notes that this is known issue and it has fixed on 9.4.2 which has alread... See more...
Can you ask that they try to delete those by REST api if they have access to it? Ok, @kiran_panchavat has found from release notes that this is known issue and it has fixed on 9.4.2 which has already published and which also fix some security issues known in earlier versions.
@m_zandinia  You can use REST API to DELETE the report.  I have created test report and deleted using the below.  curl -k -u admin:password --request DELETE https://<splunk_host>:8089/servicesNS/a... See more...
@m_zandinia  You can use REST API to DELETE the report.  I have created test report and deleted using the below.  curl -k -u admin:password --request DELETE https://<splunk_host>:8089/servicesNS/admin/search/saved/searches/testreport NOTE: -k: Bypasses SSL certificate verification Reference: https://<splunk_host>:8089/servicesNS/<owner>/<app>/saved/searches/<report_name>   
@m_zandinia I can confirm that this is a known issue in version 9.4.1 & your report is private report as per the above screenshot.   https://docs.splunk.com/Documentation/Splunk/9.4.1/ReleaseNotes/K... See more...
@m_zandinia I can confirm that this is a known issue in version 9.4.1 & your report is private report as per the above screenshot.   https://docs.splunk.com/Documentation/Splunk/9.4.1/ReleaseNotes/KnownIssues  It got fixed in 9.4.2 https://docs.splunk.com/Documentation/Splunk/9.4.2/ReleaseNotes/Fixedissues   
Let me start with the obvious: Because you are using table in your query, <table /> is the appropriate panel type, not <event/> used in your illustration. You use drilldown type to be "All", set t... See more...
Let me start with the obvious: Because you are using table in your query, <table /> is the appropriate panel type, not <event/> used in your illustration. You use drilldown type to be "All", set token to $click.value$ and expect it to take the value of field Channel.   That is not how drilldown works.  The value should be set to $row.Channel$. (There is another drilldown type "Cell".  But if you want to the token to represent Channel, this is inappropriate.) Here is a complete mock dashboard for you to play with.  Wherever you click, the clicked Channel value will be displayed in the panel's title.  Play with it and adapt it for your use. <dashboard version="1.1" theme="light"> <label>Click to set token</label> <description>https://community.splunk.com/t5/Dashboards-Visualizations/Classic-Dashboard-Drilldown-Click-on-a-Value-and-Set-Token/m-p/746080#M58677</description> <row> <panel> <title>Click on any row</title> <table> <title>Channel in that row should be &gt;$channel_token$&lt;</title> <search> <query>index = _internal component=* thread_id=* | rex "^(?&lt;Timestamp&gt;\S+ \S+ \S+)" | rename component as Channel, log_level as Level, event_message as Details, thread_id as RecordID, thread_name as Ruletitle | table Timestamp Level Channel RecordID Ruletitle Details *</query> <earliest>-24h@h</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">50</option> <option name="dataOverlayMode">none</option> <option name="drilldown">cell</option> <option name="percentagesRow">false</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> <drilldown> <set token="channel_token">$row.Channel$</set> </drilldown> </table> </panel> </row> </dashboard>  
@isoutamo  Thanks. The SHC is in the sync and there is no issue with kvstore.   Yes. They create both the alerts and reports from Web UI. They can delete alerts from the Web UI but they can't... See more...
@isoutamo  Thanks. The SHC is in the sync and there is no issue with kvstore.   Yes. They create both the alerts and reports from Web UI. They can delete alerts from the Web UI but they can't delete their own reports from the Web UI. I'm using Splunk Enterprise Version 9.4.1.
@isoutamoYes, I understand that there isn't a specific capability called "delete." I was referring to the modify/write capability in a broader context.
Have you check that your SHC is in sync and there is no general errors wit it or with kvstore? I suppose that your users have created those alerts with gui and also they try to remove those via gui?... See more...
Have you check that your SHC is in sync and there is no general errors wit it or with kvstore? I suppose that your users have created those alerts with gui and also they try to remove those via gui? Or are they trying to use REST api?
There is no separate delete capability for reports. It works if you have modify/write capability, which you obviously have as you could create those reports under your private scope. That can_delete c... See more...
There is no separate delete capability for reports. It works if you have modify/write capability, which you obviously have as you could create those reports under your private scope. That can_delete capability is totally different stuff and you never want to get it to normal user.
Hi @illuminatedaxis    The XML tags you are using for batchInterval, batchCount, sendMode, and retriesOnError do not match the property names expected by the com.splunk.logging.HttpEventCollectorLo... See more...
Hi @illuminatedaxis    The XML tags you are using for batchInterval, batchCount, sendMode, and retriesOnError do not match the property names expected by the com.splunk.logging.HttpEventCollectorLogbackAppender. You should use the following tags instead: <batch_interval> instead of <batchInterval> <batch_count_size> instead of <batchCount> <send_mode> instead of <sendMode> <retries_on_error> instead of <retriesOnError> Here is your configuration block with the corrected tags:   xml <?xml version="1.0" encoding="UTF-8"?> <configuration> <appender name="SPLUNK_HTTP" class="com.splunk.logging.HttpEventCollectorLogbackAppender"> <url>my-splunk-url</url> <token>my-splunk-token</token> <index>my-index</index> <sourcetype>${USER}_local</sourcetype> <disableCertificateValidation>true</disableCertificateValidation> <batch_interval>1</batch_interval> <!-- Corrected tag --> <batch_count_size>1000</batch_count_size> <!-- Corrected tag --> <send_mode>parallel</send_mode> <!-- Corrected tag --> <retries_on_error>1</retries_on_error> <!-- Corrected tag --> <layout class="my-layout-class"> <!-- some custom layout configs --> </layout> </appender> <logger name="com.myapplication" level="DEBUG" additivity="false"> <appender-ref ref="SPLUNK_HTTP"/> </logger> <root level="DEBUG"> <appender-ref ref="SPLUNK_HTTP"/> </root> </configuration>   Logback configures appenders by mapping XML tags to Java setter methods. For example, an XML tag <exampleProperty> would typically call a method setExampleProperty(...) on the appender class. The Splunk logging library's HttpEventCollectorLogbackAppender defines setters like setBatch_interval(String interval), setBatch_count_size(String count), and setSend_mode(String mode). Therefore, the XML tags must match these names, including the underscores.  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing