All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Access control happens on the search head. So if you are an admin on a search head, you can effectively do anything on that search head including granting yourself rights to search any index you want... See more...
Access control happens on the search head. So if you are an admin on a search head, you can effectively do anything on that search head including granting yourself rights to search any index you want. You still don't get write permissions to the search peers - this is something else and is done on the indexers themselves especially since you don't do indexer changes from a SH. So you can have two independent search environments with separate sets of users (or even different authentication mechanisms) but I don't recall any mechanism allowing limiting searched indexes per whole search-head environments. So the thing that you could do is to create a "restricted admin" role inheriting from several atomic roles - each allowing access to one of the indexes, having ability to grant roles from this particular set of roles and remove index access rights from all other roles grantable by this user. But it might not be enough if you really need a "full admin" user with abilities to do all admin stuff on tne SH.
Did you ever find a resolution to this? 
Wait a second. Where are you getting "index not found"? What exactly are you doing so that you get this message? Normal search over a non-existing index simply yields no results as far as I remember.
It depends on a use case. What and how you're searching. Are you trying to search raw data or summarized datamodel? Are you using that lookup to generate search terms using a subsearch or are you us... See more...
It depends on a use case. What and how you're searching. Are you trying to search raw data or summarized datamodel? Are you using that lookup to generate search terms using a subsearch or are you using the lookup command? What amount of data are we talking about?  
So, I want to create a dashboard for a particular team in my company and they want to add notes to dashboard for everyone on their team to view. Is that possible, and if yes, can you refer me to some... See more...
So, I want to create a dashboard for a particular team in my company and they want to add notes to dashboard for everyone on their team to view. Is that possible, and if yes, can you refer me to something?    Thank you! 
Hi @pgoldweic - I did not receive a response back. I was told to email the dev team's support directly: webplatform@splunk.com or hit up their Slack channel: #webplatform
Hi @ohbuckeyeio , I'm just curious; did you ever get a response from Splunk on this? I'm finding other problems with my users of splunk-utils and wonder whether more recent versions are safe to use o... See more...
Hi @ohbuckeyeio , I'm just curious; did you ever get a response from Splunk on this? I'm finding other problems with my users of splunk-utils and wonder whether more recent versions are safe to use or not.
You could set up some scheduled reports to run on partial sets of addresses, then load the results from the searches in your dashboard. This assumes you can work with out of date data e.g. your repor... See more...
You could set up some scheduled reports to run on partial sets of addresses, then load the results from the searches in your dashboard. This assumes you can work with out of date data e.g. your report is based on yesterday's data and you don't need the very latest data. Alternatively, as you said, you could "chain" your searches based on when a search completes, set a token which the next search is waiting for, and so on. (This is easier to do in SimpleXML, but still possible in Studio.)
Hi @ohbuckeyeio , I'm just curious; did you ever get a response from Splunk on this? I'm finding other problems with my users of splunk-utils and wonder whether more recent versions are safe to use o... See more...
Hi @ohbuckeyeio , I'm just curious; did you ever get a response from Splunk on this? I'm finding other problems with my users of splunk-utils and wonder whether more recent versions are safe to use or not.
If you are decommissioning indexers, they have to redistribute all the data on them to other peers in the cluster. If you try to take down several all at once, that process will likely break. Defini... See more...
If you are decommissioning indexers, they have to redistribute all the data on them to other peers in the cluster. If you try to take down several all at once, that process will likely break. Definitely decom them individually. Also, if you're using  ./splunk offline --enforce-counts DO NOT set maintenance mode The cluster cannot be in maintenance mode, because bucket fixup does not occur during maintenance mode. https://docs.splunk.com/Documentation/Splunk/9.3.0/Indexer/Takeapeeroffline#The_enforce-counts_offline_process
Yes, trial instances do use self-signed certs. That's normal. If you buy a normal paid service you get certs from a well-known CA. And if you say "was" does it mean your trial has ended? That would ... See more...
Yes, trial instances do use self-signed certs. That's normal. If you buy a normal paid service you get certs from a well-known CA. And if you say "was" does it mean your trial has ended? That would mean that the environment has been turned off so tnere is nothing to connect to. So the connection timeout is a normal situation.
I would like to create a dashboard which would run a search daily to check network traffic against a list of about 18,000 IP address.  We created a lookup table with all the IP addresses and ran it,... See more...
I would like to create a dashboard which would run a search daily to check network traffic against a list of about 18,000 IP address.  We created a lookup table with all the IP addresses and ran it, but the search times out. Then we tried to split the lookup tables into 8 different tables and each table was a panel in our dashboard. A few dashboards will run when we do it this way, but then the rest time out.  An idea we had was to either create a drop down tab to only run the searches when we specify, or create a search that runs one lookup table and then will only start the next search when the other stops.  Is there a simpler way to do this? Ideally it would all be one search but it just seems to be too much for our resources.  
Take what was given previously and adjust with your additional fields you need carried through. Original Suggestion | stats values(Sockets) as Sockets by IP Hostname ID | eval Sockets=mvjoin(Socket... See more...
Take what was given previously and adjust with your additional fields you need carried through. Original Suggestion | stats values(Sockets) as Sockets by IP Hostname ID | eval Sockets=mvjoin(Sockets, ",") Extended Suggestion | stats values(x) as x, values(y) as y, values(Sockets) as Sockets by IP Hostname ID | eval Sockets=mvjoin(Sockets, ",") | table IP Hostname ID Sockets x y Extend as many fields that you want to carry forward and the table is only required if you wish to control the display order of the fields, completely skip otherwise.
I am an Admin
What is your role?  The indexes you can see are based on your role. Can you share the exact error message(s) so are seeing along with the query that caused?  That will help us find the source of the... See more...
What is your role?  The indexes you can see are based on your role. Can you share the exact error message(s) so are seeing along with the query that caused?  That will help us find the source of the problem.
I am trying to create use cases and searching the indexes but i get index search not found error message. All my logs are not showing up anywhere
Please provide a more complete representation of your data and your expected output - we can only work with what you show us.
Hi guys, Is there any documentation available out there to setup the Cisco Security Cloud app? Specific requirements, "failed to create an input" and similar errors etc. Qzy
Hello @pratrox, I believe this has been addressed in the latest version of Upgrade Readiness App. Just have the app installed on your environment and run the Python scan from the UI interface and it... See more...
Hello @pratrox, I believe this has been addressed in the latest version of Upgrade Readiness App. Just have the app installed on your environment and run the Python scan from the UI interface and it should display incompatible apps/add-ons. Splunkbase link - https://splunkbase.splunk.com/app/5483   Thanks, Tejas.   --- If the above solution helps, an upvote is appreciated!!
Hi , I have already tried this , but the issue is there are around 15+ fields which Im using in my complete table query  at last. I just want to merge only based on these 3 fields , but if I me... See more...
Hi , I have already tried this , but the issue is there are around 15+ fields which Im using in my complete table query  at last. I just want to merge only based on these 3 fields , but if I mention these fields in stats all other 12+ fields are getting empty values. Is there a way only it can check for those 3 fields and does not impact other field values