Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About hettervik
hettervik
Builder
Member since:
09-25-2015
08-08-2025
Community Statistics
| Posts | 266 |
| Solutions | 21 |
| Karma Given | 107 |
| Karma Received | 48 |
| Member Since | 09-25-2015 |
Activity Feed
- Posted Is there a way to re-index data from an index to a new index, on a indexer cluster, without using collect? on Splunk Enterprise Security. 08-08-2025 01:44 AM
- Karma Re: How to add dark theme compatibility to custom app? for cindy. 11-26-2024 01:10 AM
- Posted Re: How to add dark theme compatibility to custom app? on Splunk Search. 11-19-2024 04:24 AM
- Posted Re: How to add dark theme compatibility to custom app? on Splunk Search. 11-11-2024 07:08 AM
- Posted How long are asset list field values stored in the Splunk ES asset list framework? on Splunk Enterprise Security. 10-21-2024 05:57 AM
- Karma Re: Not all field values are extracted for long JSON files for wu_weidong. 10-04-2024 05:13 AM
- Karma Re: Not all field values are extracted for long JSON files for cssmdi. 10-04-2024 05:13 AM
- Posted Re: Not all field values are extracted for long JSON files on Splunk Search. 10-04-2024 12:35 AM
- Karma Winners of the Community Dashboard Contest! for GretchenFox. 09-16-2024 06:19 AM
- Karma Community Update: Navigation Improvements! for GretchenFox. 09-09-2024 12:55 AM
- Got Karma for Nessus security scans dashboard and drilldown. 05-29-2024 06:49 AM
- Got Karma for Nessus security scans dashboard and drilldown. 05-27-2024 05:26 AM
- Karma Re: How do I retrieve the first and last date from each month? for vishaltaneja070. 05-22-2024 06:59 AM
- Posted Re: How do Splunk ES create incidents from notable events? on Alerting. 05-14-2024 02:38 AM
- Karma Re: How do Splunk ES create incidents from notable events? for tscroggins. 05-13-2024 06:34 AM
- Posted How do Splunk ES create incidents from notable events? on Alerting. 05-10-2024 06:24 AM
- Tagged How do Splunk ES create incidents from notable events? on Alerting. 05-10-2024 06:24 AM
- Posted Re: Add hyperlink in email alert on All Apps and Add-ons. 03-14-2024 09:37 AM
- Posted Re: Has anyone encountered this error: Asset and Identity Management issue? on Security. 08-30-2023 02:00 AM
- Posted Re: Why is my lookup field from KV store in datamodel not showing correct results? on Splunk Search. 08-16-2023 01:06 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 2 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
05-25-2016
01:20 AM
Thanks for your answer! So, if we use one of these storage types, is the data still accessible from Splunk Cloud? I mean, Splunk can set it up for me so that when data is rolled to e.g. cold it is moved from the indexer in the cloud to some data storing service that can store bigger amounts of data?
Also, I see that it's possible to buy storage increments of 500 GB for Splunk Cloud, but I'm guessing this is rather expensive compared to moving the cold/frozen data to e.g. a local storage.
... View more
05-25-2016
01:05 AM
Okay, I have an open case at Splunk Support on this issue, but haven't had any activity on the case for about three weeks now. Looks like it has come to a dead end. After some discussions with several colleagues we've come to the conclusion that there are some "hidden" capabilities for the default Splunk roles, meaning that you can't just copy the capabilities from e.g. the default admin role and create a custom admin role with the same capabilities but different indexes. Sorry, this is the best answer I can give. Case closed.
... View more
05-11-2016
06:46 AM
Hi,
I've looked around in the documentation for how to set an archiving policy in Splunk Cloud, but I haven't found an answer yet. I know that the document "Safeguarding Customer Data in Splunk Cloud" talk about archiving, but in this paper they call it archiving when data is rolled from hot to warm. I want to to know if there's a way to roll to frozen in Splunk Cloud, and if so, what's the price of storing data this way compared to storing data in warm buckets?
... View more
05-11-2016
06:40 AM
Hi, I have a follow-up question. Whenever I create an index in Splunk Cloud I can set the retention time to whatever I want, so where does the "default" retention on 90 days take effect? Is it so that if I set a retention time to 150 days, data will still be deleted after 90 days?
... View more
05-11-2016
01:40 AM
You are absolutely right! The app I was looking at was from a former Splunk Cloud Trial instance. There is another app for the new prod-instance of Splunk Cloud which has all the servers listed. That surely clears things up. Thanks!
... View more
05-11-2016
01:28 AM
Thanks for your fast answer. So the fact that it says id.cloud.indicates that there's only one indexer? If so, why are there five servers showing in my Splunk Cloud GUI? These five show when i search for * with value, count and percent.
idx2.<customer>.splunkcloud.com 383 30.763%
idx3.<customer>.splunkcloud.com 292 23.454%
idx4.<customer>.splunkcloud.com 203 16.305%
idx1.<customer>.splunkcloud.com 199 15.984%
idx5.<customer>.splunkcloud.com 168 13.494%
... View more
05-11-2016
01:08 AM
Hi,
I'm wondering how load balancing in Splunk Cloud work.
When i install the splunkcloud.uf app on a local forwarder, the outputs.conf that is created in the app looks like so:
[tcpout:splunkcloud]
compressed = false
disabled = false
server = input-prd-p-<id>.cloud.splunk.com:9997
sslCommonNameToCheck = input-prd-p-<id>.cloud.splunk.com
sslCertPath = $SPLUNK_HOME/etc/apps/splunkclouduf/default/client.pem
sslPassword = <password>
sslRootCAPath = $SPLUNK_HOME/etc/apps/splunkclouduf/default/cacert.pem
sslVerifyServerCert = true
useACK = true
Notice that there is only one server listed. When I search for "splunk_server" in my Splunk Cloud it clearly says I have five indexers. Why aren't all those listed behind "server" as normal when using load balancing? I know there is something called the indexer discovery feature, but then I guess I would see a stanza for that in my outputs.conf. Could someone explain this to me?
... View more
04-28-2016
04:01 AM
1 Karma
Did anyone find a solution to this? We've stumbled upon the same problem it seems.
If the file has a header, this would be the other way around, right? That Splunk wouldn't read new files because it think they are the same as the old rolled ones. So that the file has a header couldn't be the problem.
... View more
04-25-2016
12:15 AM
I have sat up inheritance already. My custom admin role inherits from a custom power role and a custom user role. The custom power role and custom user role are copies of the default power and user roles in the same way the custom admin role are a copy of the default admin. In other words, this kind of inheritance setup doesn't seem to solve the problem. I've created a case on Splunk support. I'll update this thread if we find a solution.
... View more
04-25-2016
12:03 AM
Thanks for your answer. I tried searching for index=_internal index!=*_archive while being logged in as the default admin, and the search did indeed return no results. Then I tried removing the archive search restriction from from my custom admin role, but I still can't search internal indexes. I also removed the same search restriction from my custom power role and my custom user role from which the custom admin inherits, again to little help. For me it's starting to look like we've found a bug.
... View more
04-19-2016
06:35 AM
I found out why my MAX_TIMESTAMP_LOOKAHEAD wasn't working. A heavy forwarder was parsing the data, and thus marking it as "cooked" before it reached my indexer. When cooked data gets to an indexer it isn't re-parsed, and all source type settings on the indexer aren't taken into account. Case closed.
... View more
04-19-2016
06:31 AM
I haven't gotten a copy of authorize.conf from support, but I've looked over the list of settings on my custom admin role in the Splunk Cloud GUI. The only "enabled" settings in your list that aren't in my UI list in our Splunk Cloud are the ones listed below. All these settings are not choosable from "available capabilities" in the Splunk Cloud role edit settings. Could any of these settings be the reason why my custom admin role can't see internal indexes? If so, do you know how to enable them?
can_own_notable_events = enabled
create_external_ticket = enabled
edit_correlationsearches = enabled
dit_log_review_settings = enabled
edit_modinput_threatlist = enabled
edit_modinput_web_ping = enabled
edit_notable_events = enabled
edit_per_panel_filters = enabled
edit_postprocess = enabled
edit_reviewstatuses = enabled
edit_suppressions = enabled
... View more
04-14-2016
01:06 AM
Thank you for checking this out for me! How do you see your authorize.conf while using Splunk Cloud? As far as I know the only way to do it is to send a request to support. I will do so, and then I'll cross-check my configuration with yours. I'll get back to you.
... View more
04-13-2016
06:19 AM
I receive "no results found" when searching for internal indexes. Searching for non-internal indexes works just fine.
... View more
04-13-2016
03:58 AM
No, my custom admin role don't see any internal data at all, e.g. index=_internal.
... View more
04-13-2016
01:11 AM
Hi. Thanks for your answer! I was thinking the same thing, there must be a difference between the two admin roles. I've triple checked that all capabilities from the default admin are copied over to my custom admin, also regarding inheritance from user and power roles. The custom admin have access to "all internal indexes," and "all internal indexes" are searched by default.
To me it almost seem like other roles than the default admin role on Splunk Cloud aren't allowed to search on internal indexes, even though the role specifies that they should be able to do so. Please, prove me wrong. I'd like to get to the bottom of this.
... View more
04-11-2016
12:56 AM
Hi,
On Splunk Cloud, the admin role has by default access to all non-internal indexes. At a customer's site, we want to retain the the access rights of admins by keeping "available indexes" (with the exception of internal indexes) in their own "access roles." Thus, our admin role would only grant the user the capabilities of the admin, but not any non-internal indexes. Those indexes would have to be granted by their own 1:1 access roles.
Our problem is that when we grant a user the custom admin role we've created, that user can't see the graphs in the "distributed management console." It seems like the users aren't allowed to see the _internal index, even though it clearly says in the custom admin role we've created that all internal indexes should be searchable. We've even added the index _internal specifically, in addition to "all internal indexes," just to be sure. What's interesting is that if we let our custom admin role inherit from the default admin role, then it works.
Any idea of what could be the problem here? Could there be some sort of "hidden" access right or capability on the default admin role in Splunk Cloud?
... View more
04-05-2016
06:13 AM
Hi,
Did you find a solution to the MAX_TIMESTAMP_LOOKAHEAD problem? I have the same issue as you had. I've noticed the answers you've written below, that you have renamed the sourcetype, but I don't quite get it. Is there some other fields that somehow overrides the MAX_TIMESTAMP_LOOKAHEAD field?
Here are some of the fields configured on my sourcetype. Do these seem okay to you?
SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE = ^\d{2,}:\d{2,}:\d{2,},\d{3,}
MAX_TIMESTAMP_LOOKAHEAD = 20
... View more
04-05-2016
03:42 AM
No, we haven't tried that, but we did find another solution. Instead of using the "upload" function, we used the "monitor" function. We selected the same file as we had previously tried to upload and told Splunk to only index the file once (as opposite to continuously monitoring it). Technically it would be the same as using the previously tried upload function, right? Nevertheless, it worked.
Our conclusion is that there's a bug in the upload function.
... View more
04-05-2016
02:43 AM
Hi,
Did you find out the reason why this happens? We've tried moving the file to different directories before uploading it, and also we've tried renaming the file. Those things seems to have no effect. Did you find a solution?
... View more
We've upgraded the Splunk Cloud Trial to a POC license, and now sending emails works just fine. Also, before we upgraded, we asked Splunk support about the issue, and they couldn't either send mails from a Splunk Cloud Trial instance they sat up. It seems like there indeed is some sort of restriction on the Splunk Cloud Trial.
... View more
To answer my own question, there is apparently no limit on the number of users one can invite to a Splunk Cloud Trial.
We had a similar problem as the one described above when using an instance of a Splunk Cloud Trial at a customer's site. Splunk Support says that "access to the instance is restricted to individuals who have the same domain as the owner of the instance [...]" when we contacted them about the issue. This answers seem to fit well with the problems we where experiencing with the Splunk Cloud Trial at the customer's site, so for now I'll assume this is the reason for the 404 errors. Case closed.
... View more
03-17-2016
06:39 AM
Hi,
As far as I know it's possible to send email from Splunk Cloud using mail host 127.0.0.1:25, which also is sat as mail host by default. I'm having some troubles sending email from my Splunk Cloud Trial instance. I've tried sending emails to a couple of different email accounts to ensure that there are no filters blocking out the emails, and I've also tried using a different mail host belonging to the customer I'm currently working for, but with no luck. Could there be any limitations on the Splunk Cloud Trial that prevents me from sending emails? If not, does anyone have any idea on what may be the problem?
Thanks!
... View more
- Tags:
- splunk-cloud
03-17-2016
05:00 AM
Looks like I have have the exact same problem as you.
I've tried using the mail host 127.0.0.1:25 as well as another mail host belonging to the customer I'm currently working with. I've also tried sending emails from Splunk to several different email accounts, just to make sure there isn't some kind of filter blocking them out (I've encountered that problem at another customer).
I'm currently using a Splunk Cloud Trial instance. Don't know if that matter?
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
08-08-2025
01:35 AM
|
Karma from
Karma given to
