@richgalloway @PickleRick I checked in chatgpt and explored authorise.conf and thought of using below. Please check and verify and let me know will it works -- Below is the role created for non-prod...
See more...
@richgalloway @PickleRick I checked in chatgpt and explored authorise.conf and thought of using below. Please check and verify and let me know will it works -- Below is the role created for non-prod. [role_abc] srchIndexesAllowed = non_prod srchIndexesDefault = non_prod SrchFilter = index = non_prod Below is the role created for prod [role_xyz] srchIndexesAllowed = prod;opco_summary srchIndexesDefault = prod srchFilter = (index=prod) OR (index=opco_summary AND service=juniper-prod) Still confused on = and :: index and service both are not indexes fields hence used =.
Sorry for everyone that I am posting multiple posts for my issue. Just summarising everything here.. please help me with the solution... we created a single summary index to all applications and afr...
See more...
Sorry for everyone that I am posting multiple posts for my issue. Just summarising everything here.. please help me with the solution... we created a single summary index to all applications and afraid of giving access to them because any of them see that there can see other's apps summary data, it will be a security issue right. We have created a dashboard with summary index and disabled open in search. At some point, we need to give them access to summary index and what if they search index=* then their restricted index and this summary index shows up which can be risky. Is there any way we can restrict users running index=*. NOTE - already we are using RBAC to restrict users to their specific indexes. But this summary index will show summarised data of all. Any way to restrict this? However in dashboard we are restricting them by a field should be selected then only panel with summary index shows up by filtering. How people handle this type of situations? We will create two indexes per application one for non_prod and one for prod logs in same splunk. They create 2 AD groups (np and prod). We will create indexes, roles and assign that to respective AD groups and 1 user will have access to both these 2 groups. Being single summary index, thought of filtering it at role level using srchFilter and service field, so that to restrict one user seeing other apps summary data...Extracted service field from raw data and ingested it into summary index so that it will pick service field values. Then I will use this field in srchFilter to restrict users. We only need summary index for prod data (indexes) not non-prod data... Below is the role created for non-prod [role_abc] srchIndexesAllowed = non_prod srchIndexesDefault = non_prod Below is the role created for prod [role_xyz] srchIndexesAllowed = prod;opco_summary srchIndexesDefault = prod srchFilter = (index=prod OR (index=opco_summary service=juniper-prod) In other post I received comment that indexed fields will use :: but here these two fields (index, service) are not indexes fields, hence given = Here my doubt is when the user with these two roles if they can search only index=non_prod if he see results or not? How this search works in backend? Is there any way to test? And few users are part of 6-8 AD groups (6-8 indexes). How this srchFilter work here? Please clarify.. But what if user runs index=non_prod... Can he still see non_prod logs or not? If there is no other way rather than creating seperate summary index for each application, we need to do it. But is there any way we can do it fast rather than doing it manually? But again I don't have coding knowledge to auomate this.
Yup. JAVA_HOME should be the base dir of Java installation. See https://docs.oracle.com/cd/E19182-01/821-0917/inst_jdk_javahome_t/index.html for example
Hi @Karthikeya Regarding "service::juniper-prod" - This will only work if service is an indexed field as :: is used to reference an indexed field. @richgalloway makes some good points - srchFilte...
See more...
Hi @Karthikeya Regarding "service::juniper-prod" - This will only work if service is an indexed field as :: is used to reference an indexed field. @richgalloway makes some good points - srchFilters can get very complicated very quickly - Ive seen this implemented for production environments before and ended in lots of stress. All it takes is someone to get an additional role with a more permissive srchFilter and it all breaks down. In terms of your question about OR/AND, check out this: srchFilterSelecting = <boolean>
* Determines whether a role's search filters are used for selecting or
eliminating during role inheritance.
* If "true", the search filters are used for selecting. The filters are joined
with an OR clause when combined.
* If "false", the search filters are used for eliminating. The filters are joined
with an AND clause when combined.
* Example:
* role1 srchFilter = sourcetype!=ex1 with selecting=true
* role2 srchFilter = sourcetype=ex2 with selecting = false
* role3 srchFilter = sourcetype!=ex3 AND index=main with selecting = true
* role3 inherits from role2 and role 2 inherits from role1
* Resulting srchFilter = ((sourcetype!=ex1) OR
(sourcetype!=ex3 AND index=main)) AND ((sourcetype=ex2))
* Default: true Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi @Gagandeep In addition to what @PickleRick mentioned about version number - I believe you need to enter a path to JAVA_HOME not to the java.exe file. I *think* the JAVA_HOME path for your insta...
See more...
Hi @Gagandeep In addition to what @PickleRick mentioned about version number - I believe you need to enter a path to JAVA_HOME not to the java.exe file. I *think* the JAVA_HOME path for your install would be C:\Program Files (x86)\Common Files\Oracle\Java\java8path but it could be 1 directory higher. Please try adjusting this and let us know how you get on. Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
@richgalloway I have read somewhere that it will be implicit OR. May be in documentation can't remember. But is it good practice to have summary data into original index? What are the consequences I...
See more...
@richgalloway I have read somewhere that it will be implicit OR. May be in documentation can't remember. But is it good practice to have summary data into original index? What are the consequences I face in long term? Sourcetype is stash I see for summary data. Not able to change this.
Hi @AliMaher I colleague of mine recently took the SPLK-3001 exam and was based on ES 7.x. For self-study, I'd recommend using the official Splunk Enterprise Security Certified Admin Exam Blueprin...
See more...
Hi @AliMaher I colleague of mine recently took the SPLK-3001 exam and was based on ES 7.x. For self-study, I'd recommend using the official Splunk Enterprise Security Certified Admin Exam Blueprint which lists all tested topics and recommended learning paths - this will help focus on which areas are covered in the exam and allow you to tick off what you've learnt. Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Thanks for the response. I actually installed both Java 21 and 24 but no luck. JRE path as C:\Program Files (x86)\Common Files\Oracle\Java\java8path\java.exe Upon putting above path and click o...
See more...
Thanks for the response. I actually installed both Java 21 and 24 but no luck. JRE path as C:\Program Files (x86)\Common Files\Oracle\Java\java8path\java.exe Upon putting above path and click on save. Upon returning to the same page, the path is gone. Error remains there, FileNotFoundError: [WinError 2] The system cannot find the file specified validate java command: java.
Here is more about selecting correct user in windows environment https://help.splunk.com/en/splunk-enterprise/get-started/install-and-upgrade/9.4/install-splunk-enterprise-on-windows/choose-the-windo...
See more...
Here is more about selecting correct user in windows environment https://help.splunk.com/en/splunk-enterprise/get-started/install-and-upgrade/9.4/install-splunk-enterprise-on-windows/choose-the-windows-user-splunk-enterprise-should-run-as
When you have cluster, then correct method is add nodes to it and after data has spread into those new nodes, then remove old nodes. Here is details how to do it https://community.splunk.com/t5/Splun...
See more...
When you have cluster, then correct method is add nodes to it and after data has spread into those new nodes, then remove old nodes. Here is details how to do it https://community.splunk.com/t5/Splunk-Enterprise/Migration-of-Splunk-to-different-server-same-platform-Linux-but/m-p/538062
The example questions in the Study Guide are about ES7 (the most obvious differentiator between those two is notables vs. findings). It is a normal practice for Splunk certifications and trainings to...
See more...
The example questions in the Study Guide are about ES7 (the most obvious differentiator between those two is notables vs. findings). It is a normal practice for Splunk certifications and trainings to not rely on the most bleeding edge versions of software since there are often older versions in use in the real world.
This is a relatively old thread and I don't recall seeing any of its participants active lately. Anyway, I don't think you can disable the rest command as such. You can limit the scope of informatio...
See more...
This is a relatively old thread and I don't recall seeing any of its participants active lately. Anyway, I don't think you can disable the rest command as such. You can limit the scope of information the user can access (see the list_* capabilities) but I don't think you can prohibit a user from listing indexes on an AIO instalation.
Hello Splunker, I hope you all are doing well. I prepare to take the SPLK-3001 Exam, and I want to know the Self-Study guide, and the Version of the ES? is it V7 or V8? Thanks in advance!
I would check the job inspector (and job log) for the details of the exact search being spawned. Doesn't your users' role have some limits set for search time ranges? And does it also "work" the same...
See more...
I would check the job inspector (and job log) for the details of the exact search being spawned. Doesn't your users' role have some limits set for search time ranges? And does it also "work" the same way when you chose longer time range from the time picker?
You "have tried" to install JRE or did you install it? The manual explicitly lists Java 17 and 21. It doesn't list 24 so it might work but is not officially supported. And on Windows I'd defintiely...
See more...
You "have tried" to install JRE or did you install it? The manual explicitly lists Java 17 and 21. It doesn't list 24 so it might work but is not officially supported. And on Windows I'd defintiely go for Option 3: Set JRE installation directory in Configuration > Settings > JRE Installation Path. https://help.splunk.com/en/splunk-cloud-platform/connect-relational-databases/deploy-and-use-splunk-db-connect/4.0/before-you-deploy/system-requirements
It seems to be a commercial app with a possible 90-day trial available on request. The vendore chose not to provide any form of pricing publicly. You must contact them directly to obtain any informa...
See more...
It seems to be a commercial app with a possible 90-day trial available on request. The vendore chose not to provide any form of pricing publicly. You must contact them directly to obtain any information about the product.
Windows server 2022 I have tried installing JRE24 and Java 8. It doesn't let me save the JAVA_HOME path. Throw below error:- FileNotFoundError: [WinError 2] The system cannot find the file specif...
See more...
Windows server 2022 I have tried installing JRE24 and Java 8. It doesn't let me save the JAVA_HOME path. Throw below error:- FileNotFoundError: [WinError 2] The system cannot find the file specified validate java command: java. Any help would be appreciated!!!!
Avoid search filters. While they can be useful at times, more often they complicate matters. For instance, in your case the members of 6-8 AD groups (therefore, presumably, in 6-8 Splunk roles) wil...
See more...
Avoid search filters. While they can be useful at times, more often they complicate matters. For instance, in your case the members of 6-8 AD groups (therefore, presumably, in 6-8 Splunk roles) will have 6-8 search filters combined with implicit AND operators to create a search that finds nothing. The only reliable way to control access to data is to put that data in an index with the proper RBAC settings. Rather than have a single summary index, it would be better to create a separate summary index for each group of users with unique access requirements.
The :: notation is for indexed fields. If a field is defined as indexed field, the k=v part in the search will get translated to a condition using k::v form in the underlying index search phase. Whi...
See more...
The :: notation is for indexed fields. If a field is defined as indexed field, the k=v part in the search will get translated to a condition using k::v form in the underlying index search phase. While index is not an indexed field as such both forms should work with it as well. To get a bit more technical - indexed fields are written as single key::value tokens in the lexicon so you can look for them by those tokens.