I would like to clean up the messaging I'm sending to Slack for splunk alerts. I've tried markdown [text](http://url) which doesn't work and renders the text exactly as displayed here. I've also ...
See more...
I would like to clean up the messaging I'm sending to Slack for splunk alerts. I've tried markdown [text](http://url) which doesn't work and renders the text exactly as displayed here. I've also tried <text|http://url> which renders verbatim also. Is there anyway to have slack hide URLs behind text like a normal hyperlink? My alerts look really awful with huge links back to slack searches and dashboards. TYIA
License server is I think the least stressed component of the Splunk architecture (maybe along with a SHC deployer) so it usually can be scaled down and/or deployed as a joint role with something els...
See more...
License server is I think the least stressed component of the Splunk architecture (maybe along with a SHC deployer) so it usually can be scaled down and/or deployed as a joint role with something else (for example a SHC deployer doubling down as license server). That's from a strictly "technical" point of view. If that's a small scale lab, you can probably get away with something much much smaller for a LM. But of course if it was a prod environment the usual answer from support for any issues would probably be "your servers are below specs".
Access control happens on the search head. So if you are an admin on a search head, you can effectively do anything on that search head including granting yourself rights to search any index you want...
See more...
Access control happens on the search head. So if you are an admin on a search head, you can effectively do anything on that search head including granting yourself rights to search any index you want. You still don't get write permissions to the search peers - this is something else and is done on the indexers themselves especially since you don't do indexer changes from a SH. So you can have two independent search environments with separate sets of users (or even different authentication mechanisms) but I don't recall any mechanism allowing limiting searched indexes per whole search-head environments. So the thing that you could do is to create a "restricted admin" role inheriting from several atomic roles - each allowing access to one of the indexes, having ability to grant roles from this particular set of roles and remove index access rights from all other roles grantable by this user. But it might not be enough if you really need a "full admin" user with abilities to do all admin stuff on tne SH.
Wait a second. Where are you getting "index not found"? What exactly are you doing so that you get this message? Normal search over a non-existing index simply yields no results as far as I remember.
It depends on a use case. What and how you're searching. Are you trying to search raw data or summarized datamodel? Are you using that lookup to generate search terms using a subsearch or are you us...
See more...
It depends on a use case. What and how you're searching. Are you trying to search raw data or summarized datamodel? Are you using that lookup to generate search terms using a subsearch or are you using the lookup command? What amount of data are we talking about?
So, I want to create a dashboard for a particular team in my company and they want to add notes to dashboard for everyone on their team to view. Is that possible, and if yes, can you refer me to some...
See more...
So, I want to create a dashboard for a particular team in my company and they want to add notes to dashboard for everyone on their team to view. Is that possible, and if yes, can you refer me to something? Thank you!
Hi @pgoldweic - I did not receive a response back. I was told to email the dev team's support directly: webplatform@splunk.com or hit up their Slack channel: #webplatform
Hi @ohbuckeyeio , I'm just curious; did you ever get a response from Splunk on this? I'm finding other problems with my users of splunk-utils and wonder whether more recent versions are safe to use o...
See more...
Hi @ohbuckeyeio , I'm just curious; did you ever get a response from Splunk on this? I'm finding other problems with my users of splunk-utils and wonder whether more recent versions are safe to use or not.
You could set up some scheduled reports to run on partial sets of addresses, then load the results from the searches in your dashboard. This assumes you can work with out of date data e.g. your repor...
See more...
You could set up some scheduled reports to run on partial sets of addresses, then load the results from the searches in your dashboard. This assumes you can work with out of date data e.g. your report is based on yesterday's data and you don't need the very latest data. Alternatively, as you said, you could "chain" your searches based on when a search completes, set a token which the next search is waiting for, and so on. (This is easier to do in SimpleXML, but still possible in Studio.)
Hi @ohbuckeyeio , I'm just curious; did you ever get a response from Splunk on this? I'm finding other problems with my users of splunk-utils and wonder whether more recent versions are safe to use o...
See more...
Hi @ohbuckeyeio , I'm just curious; did you ever get a response from Splunk on this? I'm finding other problems with my users of splunk-utils and wonder whether more recent versions are safe to use or not.
If you are decommissioning indexers, they have to redistribute all the data on them to other peers in the cluster. If you try to take down several all at once, that process will likely break. Defini...
See more...
If you are decommissioning indexers, they have to redistribute all the data on them to other peers in the cluster. If you try to take down several all at once, that process will likely break. Definitely decom them individually. Also, if you're using ./splunk offline --enforce-counts DO NOT set maintenance mode The cluster cannot be in maintenance mode, because bucket fixup does not occur during maintenance mode. https://docs.splunk.com/Documentation/Splunk/9.3.0/Indexer/Takeapeeroffline#The_enforce-counts_offline_process
Yes, trial instances do use self-signed certs. That's normal. If you buy a normal paid service you get certs from a well-known CA. And if you say "was" does it mean your trial has ended? That would ...
See more...
Yes, trial instances do use self-signed certs. That's normal. If you buy a normal paid service you get certs from a well-known CA. And if you say "was" does it mean your trial has ended? That would mean that the environment has been turned off so tnere is nothing to connect to. So the connection timeout is a normal situation.
I would like to create a dashboard which would run a search daily to check network traffic against a list of about 18,000 IP address. We created a lookup table with all the IP addresses and ran it,...
See more...
I would like to create a dashboard which would run a search daily to check network traffic against a list of about 18,000 IP address. We created a lookup table with all the IP addresses and ran it, but the search times out. Then we tried to split the lookup tables into 8 different tables and each table was a panel in our dashboard. A few dashboards will run when we do it this way, but then the rest time out. An idea we had was to either create a drop down tab to only run the searches when we specify, or create a search that runs one lookup table and then will only start the next search when the other stops. Is there a simpler way to do this? Ideally it would all be one search but it just seems to be too much for our resources.
Take what was given previously and adjust with your additional fields you need carried through. Original Suggestion | stats values(Sockets) as Sockets by IP Hostname ID
| eval Sockets=mvjoin(Socket...
See more...
Take what was given previously and adjust with your additional fields you need carried through. Original Suggestion | stats values(Sockets) as Sockets by IP Hostname ID
| eval Sockets=mvjoin(Sockets, ",") Extended Suggestion | stats values(x) as x, values(y) as y, values(Sockets) as Sockets by IP Hostname ID
| eval Sockets=mvjoin(Sockets, ",")
| table IP Hostname ID Sockets x y Extend as many fields that you want to carry forward and the table is only required if you wish to control the display order of the fields, completely skip otherwise.
What is your role? The indexes you can see are based on your role. Can you share the exact error message(s) so are seeing along with the query that caused? That will help us find the source of the...
See more...
What is your role? The indexes you can see are based on your role. Can you share the exact error message(s) so are seeing along with the query that caused? That will help us find the source of the problem.
Hi guys, Is there any documentation available out there to setup the Cisco Security Cloud app? Specific requirements, "failed to create an input" and similar errors etc. Qzy