Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About splunkreal
splunkreal
Motivator
Member since:
05-26-2016
yesterday
Community Statistics
| Posts | 569 |
| Solutions | 29 |
| Karma Given | 806 |
| Karma Received | 48 |
| Member Since | 05-26-2016 |
Activity Feed
- Posted Splunk ES threat feeds empty on Splunk Enterprise Security. yesterday
- Got Karma for Re: How to troubleshoot why we are getting "appserver port: already bound" on startup of Splunk 6.2.x after re. 2 weeks ago
- Posted Re: oracle:audit:unified Parsing Issue on All Apps and Add-ons. 07-25-2025 09:09 AM
- Karma Re: oracle:audit:unified Parsing Issue for kiran_panchavat. 07-25-2025 06:43 AM
- Karma Re: oracle:audit:unified Parsing Issue for kiran_panchavat. 07-25-2025 06:43 AM
- Karma Re: Moving Cluster to new subnet for esix_splunk. 07-21-2025 08:51 AM
- Karma Re: Where to perform field extraction in Splunk cluster for PickleRick. 06-30-2025 11:49 PM
- Karma Re: Where to perform field extraction in Splunk cluster for FrankVl. 06-30-2025 11:48 PM
- Posted Re: Splunk HEC/kafka raw logs parsing / addons on Getting Data In. 06-26-2025 08:36 AM
- Karma Re: Splunk HEC/kafka raw logs parsing / addons for livehybrid. 06-26-2025 08:35 AM
- Karma Re: Extract fields from RFC5424 syslog with nested json field for PickleRick. 06-25-2025 05:54 AM
- Karma Re: Extract fields from RFC5424 syslog with nested json field for tej57. 06-25-2025 05:53 AM
- Posted Re: Splunk HEC/kafka raw logs parsing / addons on Getting Data In. 06-18-2025 05:44 AM
- Karma Re: Splunk HEC/kafka raw logs parsing / addons for livehybrid. 06-18-2025 05:43 AM
- Posted Splunk HEC/kafka raw logs parsing / addons on Getting Data In. 06-18-2025 05:14 AM
- Karma Re: Submitting events over HEC to an index other than main? for PickleRick. 06-18-2025 04:45 AM
- Posted Extract fields from RFC5424 syslog with nested json field on Getting Data In. 06-05-2025 07:45 AM
- Karma Re: How to get the nested objects from my JSON data field? for PickleRick. 06-01-2025 05:13 AM
- Posted Re: Does props.conf support wildcards? on Getting Data In. 05-16-2025 12:24 AM
- Got Karma for Re: How do I renew an expired Splunk Certificate?. 05-02-2025 11:58 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
01-18-2017
07:11 AM
Hello lweber,
could you try this : http://127.0.0.1:8000/fr-FR/splunkd/__raw/servicesNS/admin/search/data/ui/panels/DASHBOARDNAME?output_mode=json&_=1484751462186
replace DASHBOARDNAME by your Dashboard or using OWASP ZAP I think javascript is still used in 6.5
... View more
01-12-2017
03:22 AM
Hello guys,
We need to disable the "Create new dashboard" button so could you tell me if it is still possible to custom the dashboardpage.js in splunk 6.5 or is it now possible to disable it from standard permissions?
Thanks.
Current version : 6.2.3
... View more
12-13-2016
09:18 AM
It works, thanks a lot!
I kept 'standalone' mode on that search head and only search head role.
... View more
12-13-2016
07:50 AM
Thanks Harshil, do you mean I can add that cluster master (it's also our deployment server and is not indexing data) in distributed search or I must add the new search head in the cluster (which I don't want as i want separate authentication, customization...) ?
... View more
12-13-2016
07:25 AM
Hi cusello, auto load balancing is OK, there isn't duplicate events if I search on one of the clustered search heads, only on that new separated search head with distributed search.
[tcpout]
defaultGroup = ssl_9997
useACK = true
maxQueueSize = 100MB
[tcpout:ssl_9997]
server = xxx01:9997, yyy01:9997
[tcpout-server://xxx01:9997]
sslCertPath=$SPLUNK_HOME/etc/auth/server.pem
sslPassword=password
sslRootCAPath=$SPLUNK_HOME/etc/apps/APP_OUTPUTS/local/cacert.pem
sslVerifyServerCert=false
[tcpout-server://yyy01:9997]
sslCertPath=$SPLUNK_HOME/etc/auth/server.pem
sslPassword=password
sslRootCAPath=$SPLUNK_HOME/etc/apps/APP_OUTPUTS/local/cacert.pem
sslVerifyServerCert=false
Thanks for your help.
... View more
12-13-2016
06:22 AM
Hello guys,
I've setup a separated search head using distributed search with clustered indexers (in order to have a different portal with different authentication)
However if I select more than one indexer then I get duplicate events.
Any idea to search all indexers without duplicate events?
Thanks.
... View more
12-12-2016
12:57 AM
Ok thanks for the clarification
... View more
12-06-2016
12:38 AM
Hi Aareneta, I couldn't try it yet. Thanks.
... View more
12-01-2016
05:42 AM
OK sorry too, from which version is it possible?
Thanks.
... View more
12-01-2016
12:18 AM
I downvoted this post because that feature is not available in v6.2.3, unable to disable create new dashboard link in the role options.
... View more
11-30-2016
04:54 AM
Hello guys,
I've already tried adding or editing dashboard.css for my custom app and nothing worked.
I've edited splunk/share/splunk/search_mrsparkle/exposed/js/build/dashboardspage.js and I commented the btn btn-primary add-dashboard code:
A small button without text appears, or I can also hide it by adding style="display: none;"
Is it OK, or there is another better and proper way?
Thanks.
... View more
11-29-2016
09:38 AM
Hello guys,
there is a vulnerability in Splunk, it's possible to edit the search of a dashboard using web browser's developer tools or OWASP, this can be restricted by role, however it's possible to remove timechart then show raw logs which we don't want :
//
// SEARCH MANAGERS
//
var search1 = new SearchManager({
"id": "search1",
"status_buckets": 0,
--> "search": "index=myindex | timechart span=1d count", <---
"earliest_time": "-7d@h",
"cancelOnUnload": true,
"latest_time": "now",
"app": utils.getCurrentApp(),
"auto_cancel": 90,
"preview": true,
"runWhenTimeIsUndefined": false
}, {tokens: true, tokenNamespace: "submitted"});
To finish our aim is to avoid user able to see raw data, only table or timechart.
Thanks a lot!
... View more
11-29-2016
02:09 AM
Good idea, thanks!
However where are then stored internal indexes?
... View more
11-28-2016
08:05 AM
GREAT!!!
In fact we need to go User interface or all configurations/Views/Search => permissions and disable read on the read-only role.
Thanks!!!
... View more
11-28-2016
07:31 AM
So why at http://docs.splunk.com/Documentation/Splunk/6.2.3/Admin/Outputsconf we have :
sslPassword =
The password associated with the CAcert.
The default Splunk CAcert uses the password "password".
There is no default value.*
Thanks a lot!
... View more
11-28-2016
03:44 AM
Hello guys,
I've this configuration in a test environment :
1 SEARCH HEAD < (dist. search) > 1 INDEXER
(no clustered environment)
I set up indexes on the indexer then I still added those (dummy) indexes on the search head for management reasons.
The problem is with the Splunk Add-on for Java Management Extensions (JMX) : it's still writing on the local index of the search head! How to tell it to write on the indexer instead?
Thanks!
... View more
11-25-2016
01:53 AM
Hello guys,
I'm using this on deployment-apps (universal forwarder deployment) :
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = indexer:9997
[tcpout-server://indexer:9997]
sslCertPath = $SPLUNK_HOME/etc/apps/APP_OUTPUTS_BASE_PPR/local/server.pem
sslPassword = password
sslRootCAPath = $SPLUNK_HOME/etc/apps/APP_OUTPUTS_BASE_PPR/local/cacert.pem
sslVerifyServerCert = false
I'm 99% sure sslPassword for my cacert.pem is not 'password', so isn't it working for server.pem instead (default splunk cert) ?
If I use the correct cacert pass, I get ssl23_get_client_hello unknown protocol on indexer and TcpOutputFd Read error on forwarder.
Thanks for your clarification.
... View more
11-09-2016
05:41 AM
Dear Somesh,
finally I've added search peers (indexers of the cluster) in distributed search of the new sh and it looks good!
I don't want any sync or replication of clustered search heads.
Thanks a lot.
... View more
11-09-2016
01:01 AM
1 Karma
Hello,
could you tell me what happens if coldPath.maxdatasizemb is reached but maxTotalDataSizeMB higher than homePath.maxdatasizemb+coldPath.maxdatasizemb?
Example :
homePath.maxDataSizeMB = 115 000
coldPath.maxDataSizeMB = 450 000
maxTotalDataSizeMB = 5 000 000
Thanks.
... View more
11-07-2016
07:19 AM
Hello, we have an app (app_authentication) used to deploy authorize.conf and authentication.conf on our shcluster. Does it mean that I only need to disable deployment of this app on the new search head and configure users/roles locally? Thanks a lot.
... View more
11-03-2016
09:51 AM
The aim for that standalone search head is to have different permissions for existing clustered indexes. Is it possible with your solution?
Thanks.
... View more
11-03-2016
09:27 AM
Can't we just add search peers (clustered indexers) in "Settings / distributed search / search peers" from the new sh?
The aim is to avoid that that additionnel search head becomes part of the cluster.
Thanks for your help.
... View more
11-03-2016
08:57 AM
Hello,
is it possible to add clustered search peers (indexers) to standalone search head?
Thanks.
... View more
10-26-2016
06:58 AM
Hello,
could you tell me what is the difference between results from | rest and | metadata when trying to find, for example, latest event time per index?
Thanks.
... View more
10-04-2016
06:21 AM
1 Karma
Hello,
maxTotalDataSizeMB of one index is too large, is it possible to reduce it (above current size of course), without any problem?
Thanks.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
yesterday
|
Karma given to
