All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

It's still not working. Here are the screenshots. Note :- Upon adding the above JAVA_HOME path, it doesn't show any notification if saved or not. Upon refreshing the page, the path is no longer ... See more...
It's still not working. Here are the screenshots. Note :- Upon adding the above JAVA_HOME path, it doesn't show any notification if saved or not. Upon refreshing the page, the path is no longer there.   Created new JAVA_HOME under Environment Variables but no luck.      
Hi @shoaibalimir  When you assessed and didnt get the required outcome - what is the issue you had specifically? Is this a one-time ingestion of historic files already in S3, or are you wanting to ... See more...
Hi @shoaibalimir  When you assessed and didnt get the required outcome - what is the issue you had specifically? Is this a one-time ingestion of historic files already in S3, or are you wanting to ingest on an ongoing basis (I assume the latter?). Personally I would avoid Generic-S3 as it relies on checkpoint files and can get messy quickly. SQS based S3 is the way to go here I believe.  Check out https://splunk.github.io/splunk-add-on-for-amazon-web-services/SQS-basedS3/ for more details on setting up SQS-based-S3 input. Its also worth nothing that the dynamic parts of the path shouldnt be a problem. If you have requirements to put them into specific indexes depending on the dynamic values then you can configure this when you setup the event notification (https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-event-notifications.html) and will probably need multiple SQS. Alternatively you could use props/transforms to route to the correct index at ingest time.  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing  
Hi @isahu  Can you have a look at $SPLUNK_HOME/var/log/splunk/splunkd.log specifically errors relating to "TcpOutputProc" or "TcpOutputFd". Please also confirm that the outputs.conf is configured a... See more...
Hi @isahu  Can you have a look at $SPLUNK_HOME/var/log/splunk/splunkd.log specifically errors relating to "TcpOutputProc" or "TcpOutputFd". Please also confirm that the outputs.conf is configured as expected using btool: $SPLUNK_HOME/bin/splunk cmd btool outputs list --debug As others have said, the lack of _internal logs from the UF points to an issue with sending outbound, hopefully the above troubleshooting will help determine the cause of the issue.  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
hi , in my company we are using splunk enterprise in cluster struct , i recently update my servers not splunk after that and after restarting splunk deployment server all forwarder are trying to do p... See more...
hi , in my company we are using splunk enterprise in cluster struct , i recently update my servers not splunk after that and after restarting splunk deployment server all forwarder are trying to do phone call and when trying to listen on deployment servers it reciving the calls but when i check clients on forwarder manager section it is empty , what can i do ?
Please stop spamming multiple posts - your question has been asked (again) here - you have been given solutions (which you don't appear to want to use). If anyone can come up with alternatives, they ... See more...
Please stop spamming multiple posts - your question has been asked (again) here - you have been given solutions (which you don't appear to want to use). If anyone can come up with alternatives, they will most likely respond here.
Ok hence I given = for service and index. Hope it will work. Stanzas I have given will it work as expected or srchFilter has any behaviour that can't be defined?
For a search-time field you cannot use the :: syntax.
@gcusello already we have implemented RBAC restricted access to indexes. Now headache started because of this Single Shared Summary index.
Checked in chatgpt and authorise.conf doc and written this. Please help whether this will help if user has access to both these roles. they still need to access non_prod, prod, and summary data restr... See more...
Checked in chatgpt and authorise.conf doc and written this. Please help whether this will help if user has access to both these roles. they still need to access non_prod, prod, and summary data restricted for their service   Below is the role created for non-prod [role_abc] srchIndexesAllowed = non_prod srchIndexesDefault = non_prod srchFilter = index=non_prod Below is the role created for prod  [role_xyz] srchIndexesAllowed = prod;opco_summary srchIndexesDefault = prod srchFilter = (index=prod OR (index=opco_summary AND service=juniper-prod))   worried about how this srchFilter works across multiple roles (few managers have access to 6-8 AD groups means 6-8 indexes), still they need to see all data including summary data for those 6-8 services.
Hi @Karthikeya , in Splunk, restrictions to access to data is managed at index level, not at app level, in other words, when  you create a role, you should define the indexes that the role can acce... See more...
Hi @Karthikeya , in Splunk, restrictions to access to data is managed at index level, not at app level, in other words, when  you create a role, you should define the indexes that the role can access: e.g. role1 accesses only index1 and role2 only accesses index2, then you can assign a role or both of them to a user depending on your requirements. You can do this in [Settings > Roles > Indexes]. In addition, you can eventually add some restrictions on an index (e.g. on the wineventlog index, a role can access only events with a EventCode IN (4624,4625,4634) instead another role all the events in wineventlog index. You can do this in [Settings > Roles > Restrictions]. Ciao. Giuseppe
@richgalloway @PickleRick I checked in chatgpt and explored authorise.conf and thought of using below. Please check and verify and let me know will it works -- Below is the role created for non-prod... See more...
@richgalloway @PickleRick I checked in chatgpt and explored authorise.conf and thought of using below. Please check and verify and let me know will it works -- Below is the role created for non-prod. [role_abc] srchIndexesAllowed = non_prod srchIndexesDefault = non_prod SrchFilter = index = non_prod Below is the role created for prod  [role_xyz] srchIndexesAllowed = prod;opco_summary srchIndexesDefault = prod srchFilter = (index=prod) OR (index=opco_summary AND service=juniper-prod) Still confused on = and :: index and service both are not indexes fields hence used =.
Sorry for everyone that I am posting multiple posts for my issue. Just summarising everything here.. please help me with the solution... we created a single summary index to all applications and afr... See more...
Sorry for everyone that I am posting multiple posts for my issue. Just summarising everything here.. please help me with the solution... we created a single summary index to all applications and afraid of giving access to them because any of them see that there can see other's apps summary data, it will be a security issue right. We have created a dashboard with summary index and disabled open in search. At some point, we need to give them access to summary index and what if they search index=* then their restricted index and this summary index shows up which can be risky. Is there any way we can restrict users running index=*. NOTE - already we are using RBAC to restrict users to their specific indexes. But this summary index will show summarised data of all. Any way to restrict this? However in dashboard we are restricting them by a field should be selected then only panel with summary index shows up by filtering. How people handle this type of situations? We will create two indexes per application one for non_prod and one for prod logs in same splunk. They create 2 AD groups (np and prod). We will create indexes, roles and assign that to respective AD groups and 1 user will have access to both these 2 groups. Being single summary index, thought of filtering it at role level using srchFilter and service field, so that to restrict one user seeing other apps summary data...Extracted service field from raw data and ingested it into summary index so that it will pick service field values. Then I will use this field in srchFilter to restrict users. We only need summary index for prod data (indexes) not non-prod data... Below is the role created for non-prod [role_abc] srchIndexesAllowed = non_prod srchIndexesDefault = non_prod Below is the role created for prod [role_xyz] srchIndexesAllowed = prod;opco_summary srchIndexesDefault = prod srchFilter = (index=prod OR (index=opco_summary service=juniper-prod) In other post I received comment that indexed fields will use :: but here these two fields (index, service) are not indexes fields, hence given = Here my doubt is when the user with these two roles if they can search only index=non_prod if he see results or not? How this search works in backend? Is there any way to test? And few users are part of 6-8 AD groups (6-8 indexes). How this srchFilter work here? Please clarify.. But what if user runs index=non_prod... Can he still see non_prod logs or not? If there is no other way rather than creating seperate summary index for each application, we need to do it. But is there any way we can do it fast rather than doing it manually? But again I don't have coding knowledge to auomate this.
Yup. JAVA_HOME should be the base dir of Java installation. See https://docs.oracle.com/cd/E19182-01/821-0917/inst_jdk_javahome_t/index.html for example
Hi @Karthikeya  Regarding "service::juniper-prod" - This will only work if service is an indexed field as :: is used to reference an indexed field.  @richgalloway makes some good points - srchFilte... See more...
Hi @Karthikeya  Regarding "service::juniper-prod" - This will only work if service is an indexed field as :: is used to reference an indexed field.  @richgalloway makes some good points - srchFilters can get very complicated very quickly - Ive seen this implemented for production environments before and ended in lots of stress. All it takes is someone to get an additional role with a more permissive srchFilter and it all breaks down. In terms of your question about OR/AND, check out this: srchFilterSelecting = <boolean> * Determines whether a role's search filters are used for selecting or eliminating during role inheritance. * If "true", the search filters are used for selecting. The filters are joined with an OR clause when combined. * If "false", the search filters are used for eliminating. The filters are joined with an AND clause when combined. * Example: * role1 srchFilter = sourcetype!=ex1 with selecting=true * role2 srchFilter = sourcetype=ex2 with selecting = false * role3 srchFilter = sourcetype!=ex3 AND index=main with selecting = true * role3 inherits from role2 and role 2 inherits from role1 * Resulting srchFilter = ((sourcetype!=ex1) OR (sourcetype!=ex3 AND index=main)) AND ((sourcetype=ex2)) * Default: true  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi @Gagandeep  In addition to what @PickleRick mentioned about version number - I believe you need to enter a path to JAVA_HOME not to the java.exe file. I *think* the JAVA_HOME path for your insta... See more...
Hi @Gagandeep  In addition to what @PickleRick mentioned about version number - I believe you need to enter a path to JAVA_HOME not to the java.exe file. I *think* the JAVA_HOME path for your install would be C:\Program Files (x86)\Common Files\Oracle\Java\java8path but it could be 1 directory higher. Please try adjusting this and let us know how you get on.  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
@richgalloway I have read somewhere that it will be implicit OR. May be in documentation can't remember. But is it good practice to have summary data into original index? What are the consequences I... See more...
@richgalloway I have read somewhere that it will be implicit OR. May be in documentation can't remember. But is it good practice to have summary data into original index? What are the consequences I face in long term? Sourcetype is stash I see for summary data. Not able to change this. 
Hi @AliMaher  I colleague of mine recently took the SPLK-3001 exam and was based on ES 7.x. For self-study, I'd recommend using the official Splunk Enterprise Security Certified Admin Exam Blueprin... See more...
Hi @AliMaher  I colleague of mine recently took the SPLK-3001 exam and was based on ES 7.x. For self-study, I'd recommend using the official Splunk Enterprise Security Certified Admin Exam Blueprint which lists all tested topics and recommended learning paths - this will help focus on which areas are covered in the exam and allow you to tick off what you've learnt.  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing  
Thanks for the response. I actually installed both Java 21 and 24 but no luck.  JRE path as C:\Program Files (x86)\Common Files\Oracle\Java\java8path\java.exe Upon putting above path and click o... See more...
Thanks for the response. I actually installed both Java 21 and 24 but no luck.  JRE path as C:\Program Files (x86)\Common Files\Oracle\Java\java8path\java.exe Upon putting above path and click on save. Upon returning to the same page, the path is gone.     Error remains there,  FileNotFoundError: [WinError 2] The system cannot find the file specified validate java command: java.    
Here is more about selecting correct user in windows environment https://help.splunk.com/en/splunk-enterprise/get-started/install-and-upgrade/9.4/install-splunk-enterprise-on-windows/choose-the-windo... See more...
Here is more about selecting correct user in windows environment https://help.splunk.com/en/splunk-enterprise/get-started/install-and-upgrade/9.4/install-splunk-enterprise-on-windows/choose-the-windows-user-splunk-enterprise-should-run-as
Can you check on UF side what it has written into local log files? There should be information why it can’t send those into your indexers.