All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

@richgalloway , I'm aiming to upgrade my Splunk Enterprise on the deployment server, but I'm uncertain whether it's configured as standalone or distributed. How can we verify this and proceed with t... See more...
@richgalloway , I'm aiming to upgrade my Splunk Enterprise on the deployment server, but I'm uncertain whether it's configured as standalone or distributed. How can we verify this and proceed with the upgrade accordingly? Additionally, does the upgrade process differ between standalone and distributed setups?
Hi, I am trying to implementing glass table for one of the use case. My use case have complex architecture but seems like I don't have much choice. It has only simple Arrow. For my use case I n... See more...
Hi, I am trying to implementing glass table for one of the use case. My use case have complex architecture but seems like I don't have much choice. It has only simple Arrow. For my use case I need flexible option so I can bend the arrow or having multiple staggered arrow. I tried to implement by joining multiple arrows but its very difficult and time consuming as small change require to adjust multiple arrows. Just looking for option. Is there any content pack ? or better option to connect services in glass table ? This is just simple example. my use case is way more complex.    
I'm not sure you'd be able to prevent the user from having the ability to view the secret at *all*, but you can get more granular than just all-or-nothing with `list_storage_passwords`. I just answer... See more...
I'm not sure you'd be able to prevent the user from having the ability to view the secret at *all*, but you can get more granular than just all-or-nothing with `list_storage_passwords`. I just answered a similar question here with some details that might help you out: https://community.splunk.com/t5/Splunk-Dev/What-are-secret-storage-permissions-requirements/m-p/670685/highlight/true#M11281
Hey @lremember - you'll need to reach out to splunkbase-admin@splunk.com for help with ownership transfers for Splunkbase listings. 
My understanding is that credentials created by POST request to the `storage/passwords` endpoint end up encrypted in `passwords.conf`, where they are treated like any other knowledge object. By defau... See more...
My understanding is that credentials created by POST request to the `storage/passwords` endpoint end up encrypted in `passwords.conf`, where they are treated like any other knowledge object. By default they will be accessible to any user with the `admin_all_objects` or `list_storage_passwords` capabilities, but you should be able to perform more granular access control via `metadata/local.meta` like with any other knowledge object in Splunk. This would allow admins to lock down access to specific credentials with more specificity (or, if you're building this app yourself, you could use the app's setup page where configuration is performed to complete this additional step).  I believe that this app includes functionality for managing permissions on existing secrets as described above: REST storage/passwords Manager for Splunk
Thank you
Nothing will happen.  Splunk will run just fine when installed as root.  Doing so, however, is not a good security practice.  Everything Splunk does will be as root - including any unknown vulnerabil... See more...
Nothing will happen.  Splunk will run just fine when installed as root.  Doing so, however, is not a good security practice.  Everything Splunk does will be as root - including any unknown vulnerabilities.  User scripts will run as root, which means they have the potential to cause great harm to the system. Install Splunk as a normal user.  User "splunk" is common.  If it's necessary to install using root (when using rpm files, for instance), then use the chown command to give ownership to 'splunk' afterwards.
I see,  should I copy and paste the event data into the search bar to do as the example you provided? Edit: I used: index="my_index" "log_id_here" logid responseMessage | spath input=data | transpo... See more...
I see,  should I copy and paste the event data into the search bar to do as the example you provided? Edit: I used: index="my_index" "log_id_here" logid responseMessage | spath input=data | transpose Strangely most if not all vital data was stored inside _raw as a single str
Hi @AL3Z , you can follow the hint of @isoutamo that's correct. Put only attention to the grants (chmod) because passing from Windows to Linux, you risk to loose them. Ciao. Giuseppe
Hi @cplunk - the support email address for Splunkbase-related enquiries is: splunkbase-admin@splunk.com  The display name for your app is tied to whichever Splunk.com user account is the "owner" of ... See more...
Hi @cplunk - the support email address for Splunkbase-related enquiries is: splunkbase-admin@splunk.com  The display name for your app is tied to whichever Splunk.com user account is the "owner" of the app listing.  I think your options for changing this are either:  create a new Splunk.com account to own your app listing and ask splunkbase-admin@splunk.com to transfer ownership update the information on your Splunk.com account (which might require contacting Splunk Support?) 
Fixed this issue by doing a clean installation of the spunk addon builder (by manually deleting the directory and installing it again).
Hi @nithesh - since your original post, we've released updates to the Splunk AppInspect API that refined the behavior of this check. If you are still having issues, please reach out to appinspect@spl... See more...
Hi @nithesh - since your original post, we've released updates to the Splunk AppInspect API that refined the behavior of this check. If you are still having issues, please reach out to appinspect@splunk.com and we'll help investigate. 
Hi @Shohel.Tamboli, I'm still working with the Docs team to see if we can get some revisions made. In the meantime, have you found a solution or anything else you can share? If you're still seek... See more...
Hi @Shohel.Tamboli, I'm still working with the Docs team to see if we can get some revisions made. In the meantime, have you found a solution or anything else you can share? If you're still seeking help, you can also try contacting Support. How do I submit a Support ticket? An FAQ 
I find it interesting that you claim the spath command does not work yet none of your searches use spath.  The command won't work if it isn't invoked.  See my example above. Once the spath command h... See more...
I find it interesting that you claim the spath command does not work yet none of your searches use spath.  The command won't work if it isn't invoked.  See my example above. Once the spath command has extracted the fields, then you can reference those fields in other commands.
You may find our documentation on custom search commands helpful: https://dev.splunk.com/enterprise/docs/devtools/customsearchcommands/ This topic includes some useful information on building differ... See more...
You may find our documentation on custom search commands helpful: https://dev.splunk.com/enterprise/docs/devtools/customsearchcommands/ This topic includes some useful information on building different types of custom search commands as well as links to examples.
Got a search like this (I've obfuscated it a bit) | tstats count where index IN (index1, index2, index3) by _time , host | where match(host,"^.*.device.mycompany.com$") Got a great looking stats... See more...
Got a search like this (I've obfuscated it a bit) | tstats count where index IN (index1, index2, index3) by _time , host | where match(host,"^.*.device.mycompany.com$") Got a great looking stats table - and Im really pleased with the performance of tstats - awesome. I want to graph the results... easy right?  well no - I cannot for the life of me seem to break down a say, 60 minute span down by host, despite the fact I got this awesome oven ready totally graphable stats table so I am trying  | tstats count where index IN (index1, index2, index3) by _time , host | where match(host,"^.*.device.mycompany.com$") | timechart count by host but the count is counting the host, whereas I want to "count the count" ?  Any ideas?  this will be a super simple one I expect - I got a total mental block on this
You probably have putty or other ssh client installed on your windows? If not please install it. It has sftp/scp client which you could use for copy that file to Linux.
I have installed Splunk Enterprise free trial into a VM as a root user. I know the best practice is to avoid using root to run as Splunk in case the underlying OS gets compromised and then the hacker... See more...
I have installed Splunk Enterprise free trial into a VM as a root user. I know the best practice is to avoid using root to run as Splunk in case the underlying OS gets compromised and then the hacker has access to your OS with root level. I am following the doc online and it says once you install Splunk as root, don't start the Splunk installation but rather add a new user and then change ownership of the Splunk folder to that new non-root user   But before I do that, when Splunk is installed I check its ownership and it's already configured to Splunk. Does this mean Splunk has already configured a non-root user automatically upon installation?   If so, how would I make sure it has read access to local files I want to monitor?
Yes you should install it as you are root user, but then you should chown it as splunk (or other non root user). Then enable it start as that user.
"topic" is not a recognized value for the SOURCE_KEY field.  Try using these transforms: [setindexHIGH] SOURCE_KEY = _raw REGEX = ("topic":\s*"audits") DEST_KEY = _MetaData:Index FORMAT = imp_high