I have knowledge objects in my custom apps which are created & managed in /default by manually uploading to splunkcloud and installing. this causes me a couple of problems : 1. even though they have write perms in default.meta for sc_admin only, users with other roles can change the knowledge objects through the ui - for example they can disable a savedsearch. presumably this creates a new copy in /local which means that my perms from default.meta no longer apply because new perms are written in local.meta. am i correct in my assessment, and if so what is the point of write perms? 2. once the user has created a /local copy of the savedsearch by changing or disabling it, there is a lock or conflict situation.... the ui /local version always gets precedence, and because there is also a version in /default i can no longer see a delete option for the ui version. so i am stuck with the ui version forever. in other words, the person with zero perms wins over the sc_admin. The only ways I have found to get out of this situation are (a) ask splunk cloudops to delete the files from /local, which takes 3 days, or (b) to rename all of the savedsearches in /default, upload and install the app, manually delete the versions that the user created in the ui, name the /default versions back again, and upload / install the app a 2nd time.  Am i missing something in terms of a better way to rectify things when this happens and why this might be the correct splunk behaviour? Thanks in advance Ian

When I test the regex in both regex101 and using the rex command in the search bar and they parsed out the fields correctly. Now that i have added them to the props conf on the search head, they are capturing extra information.    The Result field is the one that is mainly caputuring the SessionID which the the capture is Verified or Failed.   Thank you all for your help with this.      props.conf   [exp_test] DATETIME_CONFIG = LINE_BREAKER = ([\r\n]+) NO_BINARY_CHECK = true category = Custom pulldown_type = true CHECK_FOR_HEADER = false CHARSET = AUTO EXTRACT-SessionID = (?<=SessionID:)(?P<SessionID>.+) EXTRACT-Result = \VerificationResult:(?P<Result>.+) EXTRACT-UserName = (?<=User:)(?P<UserName>.+) EXTRACT-Response_1 = (?<=Response_1:)(?P<Response_1>.+) EXTRACT-Response_2 = (?<=Response_2:)(?P<Response_1>.+) Sample Log Time: 13-09-2021 10:08:19 VerificationResult: Failed SessionID: K3K2N2G3JPSOZNOWJFOMFPBP.pidd1v-210913090809460797217 User: LAST, FIRST 13-09-2021 10:10:18 Response_1: 1st reqest Sent! for User: LAST, FIRST 13-09-2021 10:10:19 Response_1: 1st response received! for User: LAST, FIRST Time: 13-09-2021 10:10:19 SessionID and User Mapping: SessionID: 3EV6PLCHK795Z8FQBKKYS3Z3.pidd2v-210913091018537820706 User: LAST, FIRST 13-09-2021 10:15:13 Response_1: 1st reqest Sent! for User: LAST, FIRST 13-09-2021 10:15:14 Response_1: 1st response received! for User: LAST, FIRST Time: 13-09-2021 10:15:14 SessionID and User Mapping: SessionID: GAWJ1C7ZWNAWCVTEEIWGE3LL.pidd2v-210913091513558630064 User: LAST, FIRST 13-09-2021 10:15:33 Response_1: 1st reqest Sent! for User: LAST, FIRST 13-09-2021 10:15:33 Response_1: 1st response received! for User: LAST, FIRST 13-09-2021 10:15:38 Response_1: 1st reqest Sent! for User: LAST, FIRST 13-09-2021 10:15:39 Response_1: 1st response received! for User: LAST, FIRST Time: 13-09-2021 10:15:39 SessionID and User Mapping: SessionID: 2SYZV3QHCZKYM2YTYIJLVL3E.pidd2v-210913091538460803649 User: LAST, FIRST 13-09-2021 10:15:47 Response_1: 2nd request sent! for the user verification SessionID: 2SYZV3QHCZKYM2YTYIJLVL3E.pidd2v-210913091538460803649 13-09-2021 10:15:48 Response_1: 2nd response received! for user verification SessionID: 2SYZV3QHCZKYM2YTYIJLVL3E.pidd2v-210913091538460803649 Time: 13-09-2021 10:15:48 VerificationResult: Verified SessionID: 2SYZV3QHCZKYM2YTYIJLVL3E.pidd2v-210913091538460803649 User: LAST, FIRST 13-09-2021 10:16:47 Response_1: 1st reqest Sent! for User: LAST, FIRST 13-09-2021 10:16:48 Response_1: 1st response received! for User: LAST, FIRST Time: 13-09-2021 10:16:48 SessionID and User Mapping: SessionID: D5JVVUR3AAKFURITHCI993H9.pidd2v-210913091647448944771 User: LAST, FIRST

Need an SPL to review the time zone on my Splunk instances please. Is it important for these TZs to be consistent with Time zones on all the FWs? Should I really care for time zones to be right on the FWs? Thank u in advance.

Hi Everybody, Here my requirement is to create the alerts for JVM logs, we are try to create the alert for "Heap Memory Usage"  and  "Deadlock Threads" but we are unable to find out the events. What type of events we are getting for "Heap Memory Usage" and "Deadlock Threads" and is there any particular app to monitor the JVM logs??

We have a requirement to collect the logs using client Certs (mTLS) authentication, and we are using Splunk HTTP Event Collector Endpoint along with token and client certs to achieve this.  So in order to achieve extension to this TLS support we would like to know is there any way to update the .conf files to support the multiple server-side certificates which can be used for Server Name Indication (SNI) by which a client indicates which hostname it is attempting to connect.  Have someone tried a similar approach before? Also if you could give other suggestions for our solution will be much appreciated! Thank you. Amit R. S

Hello, In order to make syslog communication through TLS work, I followed this procedure https://docs.splunk.com/Documentation/Splunk/8.0.2/Security/Howtoself-signcertificates  on one node. I backed up the original cacert.pem and copy the new root certificate just created to $SPLUNK_HOME/etc/auth/cacert.pem I also copied the server certificate to $SPLUNK_HOME/etc/auth/server.pem and change the configuration in files $SPLUNK_HOME/etc/apps/launcher/local/inputs.conf and $SPLUNK_HOME/etc/system/local/server.conf Since then, I have the error log : ERROR LMTracker - failed to send rows, reason='Unable to connect to license master=https://xxx:8089 Error connecting: SSL not configured on client' (xxx correspond to the license master server) So I tried to restore original cacert.pem and server.pem but i still get the error. I tried to connect to the license master through TLS with curl but I get an error (Peer's Certificate has expired) I checked the license master certificate and it appears to be expired since one month. But license verification is working from other Splunk nodes (on which I did not change root certificate) and curl too. Also I am not able to renew this certificate as it is sign by the default root CA and I do not have the passphrase of the private key. The connection to the web interface of this node does not work, I get an internal server error. Could you please help me to figure out what is blocking the license verification? Do not hesitate to tell me if you need more details. Thank you

I have used CSS to increase the size of pie chart legend labels;     .highcharts-data-label text tspan { font-size:14px !important; word-break: break-all !important; }     On smaller panels and with long text however the text overflows out of the panel. I've attempted to use word break to stop this from happening without any result. Please refer to the screenshot attached. Is there anyway to break and stay within the panel?

Hi splunkers, I heard some rumors that Microsoft 365 App and anything related to Microsoft Apps are planning to change their free versions to paid versions. Please let me know the truth about the above one. Kindly please help, Best Regards.