Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About yoho
yoho
Contributor
Member since:
08-19-2011
Thursday
Community Statistics
| Posts | 132 |
| Solutions | 5 |
| Karma Given | 90 |
| Karma Received | 47 |
| Member Since | 08-19-2011 |
Activity Feed
- Karma Re: Announcing Modern Navigation: A New Era of Splunk User Experience for boss6. Thursday
- Karma Splunk upgrade 9.3 to 9.4 mongodb error for Warren_Laya. 3 weeks ago
- Posted Re: Attempting to revert the SPLUNK_HOME ownership? on Splunk Enterprise. 08-11-2025 02:54 AM
- Karma Attempting to revert the SPLUNK_HOME ownership? for Skeer-Jamf. 08-11-2025 02:53 AM
- Posted Re: increase dropdown limit values : 1000 values / 25 000 values on Dashboards & Visualizations. 04-25-2025 03:18 AM
- Karma increase dropdown limit values : 1000 values / 25 000 values for anissabnk. 04-25-2025 03:18 AM
- Karma Re: VIM syntax highlighting for splunk config files for alacercogitatus. 02-12-2025 07:29 AM
- Got Karma for VIM syntax highlighting for splunk config files. 02-12-2025 02:39 AM
- Tagged Rebalancing script on Deployment Architecture. 04-16-2024 12:24 AM
- Tagged Re: App label configured in app.conf not displayed in nav bar next to app logo on Dashboards & Visualizations. 04-16-2024 12:22 AM
- Tagged Re: App label configured in app.conf not displayed in nav bar next to app logo on Dashboards & Visualizations. 04-16-2024 12:22 AM
- Tagged Re: App label configured in app.conf not displayed in nav bar next to app logo on Dashboards & Visualizations. 04-16-2024 12:21 AM
- Posted Re: App label configured in app.conf not displayed in nav bar next to app logo on Dashboards & Visualizations. 04-16-2024 12:20 AM
- Karma App label configured in app.conf not displayed in nav bar next to app logo for mr103. 04-16-2024 12:20 AM
- Got Karma for Re: Appending to srchIndexesDefault / srchIndexesAllowed. 10-27-2023 05:27 AM
- Got Karma for Rebalancing script. 10-15-2023 09:25 PM
- Got Karma for Rebalancing script. 10-14-2023 04:53 PM
- Posted Rebalancing script on Deployment Architecture. 10-14-2023 06:48 AM
- Karma Re: Splunk forwarder file monitor is not detecting new files and getting error "Bug during applyPendingMetadata, header processor does not own the indexed extractions confs"? for jamesar. 05-15-2023 06:13 AM
- Karma Re: Explanation of various HTTP(s) timeouts for hrawat. 05-10-2023 04:20 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 2 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 1 | |||
| 0 |
05-15-2014
05:07 AM
Indeed, that was the point. You also risk some troubles if, in the future versions, splunk implements a way to forbid this (there are multiple ways to do this rather easily).
... View more
05-14-2014
08:23 AM
Actually got again the problem with another platform. My problem was not playing with permissions, it was more subtle than that. I had a custom app with a "bin/unix" directory (copy from a previous unix app), it was sufficient for python to look for several libraries under this path which it did not find. Error message in the web_service.log led me to the way to solve it (the message was saying it was unable to load a library)
... View more
05-13-2014
05:38 AM
Maybe changing the umask when splunk gets started would change something to this situation ?
... View more
05-12-2014
02:06 PM
Still doesn't appear to be fixed in the latest version of SoS 😞
... View more
05-12-2014
02:02 PM
We use both answers given previously:
1) Separate indexes for dept
2) Careful read/write permissions and index access
3) 1 app per dept
Step 3 is the most difficult because if you create apps for your departments, you will have to avoid too much difference between all these apps or it will become impossible to maintain. So we have created a "master" app that we customize department per department in a very strict way : basically, for each department, we remove the views they don't need.
... View more
05-12-2014
01:49 PM
Well it doesn't work anymore, at least for me. Wrote about it to apps.splunk.com admins and they told me that they know and were fixing it. But it's a feature I definitely need !
... View more
04-09-2014
12:28 PM
Ok thanks. I still don't get why I get this error message. I'll investigate a bit further.
... View more
04-04-2014
03:49 PM
I run into the same issue but I'm allowed to install plugins in my browser. There are some SVG plugins for IE: can't we use them ? Is there a way to bypass the detection ?
... View more
04-04-2014
02:48 PM
Followup on this: In the meantime, we've recovered our enterprise entitlement. I've found the problem for this issue: I've been playing too much with local.meta to limit permissions and even admin was not able to "write" (the config). It's now fixed.
... View more
04-04-2014
04:26 AM
@lukejadamec: I knew the link but my question was related to the precedence within a single file which is only documented for props.conf if I'm not mistaken.
@gfuente: thanks, it answers to the question but how can I have splunk listen for any source ip and set the sourcetype for specific ones ? Will I have to use props/transforms ?
... View more
04-04-2014
02:42 AM
I would like to set up a splunk forwarder to listen for syslog connections (let's say on port 1514). I know specific source IP addresses which sends a specific sourcetype but for the other, I don't know. So I was thinkg of having an inputs.conf looking like this:
[udp://1.2.3.4:1514]
sourcetype = asm_log
[udp://:1514]
sourcetype = syslog
But won't the two stanzas conflict ? If not, what will be the order of precedence between these 2 stanzas ? Is this order guaranteed to stay the same whatever stanza is in the other config files ? Can I invert the two stanzas and get the same results ?
... View more
04-01-2014
06:00 AM
I think everything is in the title 🙂 Extract from savedsearches.conf:
[DB inspection]
(...)
search = | inputlookup monitored_indexes.csv| fields index | dedup index | map maxsearches=99 search=" | `db_inspect_collection($$index$$)`"
I got an error with my splunk install base and traced it down to usage of "$$" in fire_brigade (something like "$unix_summary$ not found").
Why using "$$" ?
... View more
- Tags:
- Fire Brigade
04-01-2014
01:45 AM
Hi ! This problem still exists. It's easy to fix if you have a deployment server but I think apps should work correctly by default without any tuning, so waiting desperately for a 2.0.5 release of TA-sos...
... View more
03-13-2014
02:30 AM
2 Karma
With Splunk 6, there's even a simpler way to make it because it's a built-in feature of simple XML. Read this documentation.
... View more
01-28-2014
08:00 AM
Is it in splunk 5 or 6 ? In splunk 5, I'm also able to override the default XML views but in splunk 6 I still have not found the way to do it properly.
... View more
01-28-2014
01:20 AM
Thanks ! Indeed Splunk 6 update should fix this problem.
... View more
01-23-2014
06:18 AM
Me too. I think it's not very trivial given the visualization tools of splunk. In the end, it comes down to making the timechart of a field whose value is 1 when your process is up and 0 when it's down. I'm also trying to make a chart similar to this one (well, less elaborate): http://www.bootchart.org/images/bootchart.png
... View more
01-08-2014
03:12 AM
Another reason is that I'm a bit new to summarized indexing and I've understood you have to put the same args to your "sitimechart" and "timechart" commands to have statistically correct results. I've indeed finally came down to an hourly span and get the correct results (see below).
... View more
01-08-2014
03:10 AM
Now that I've fixed the problem mentioned in my update I get info_max_time properly set. It should allow Splunk to check if there are any overlaps or gaps and only compute the sum for data which has not been taken into account yet.
So this should fix the problem and now work but in the end I found it simpler to set span=1h instead of span=1d and I finally got the right results.
... View more
01-08-2014
02:43 AM
1 Karma
Unfortunately, only works with "FlashChart" and not "JSchart" module.
... View more
01-08-2014
01:03 AM
Yes, that's something I've not explained. The reason is that I want to get the daily indexing volume over the past 30 days but for today I wouldn't like to wait until tomorrow before getting the results.
... View more
01-07-2014
08:40 AM
Hi,
I would like to give access to indexing volume per day and per index to all my users but they must only be able to access to their own index + summarized index (to keep it simple, let's say userA has access only to indexA and summindexA).
So I would like to do this by scheduling several summary searches (1 per user) taking data out of the _internal index and writing the results to users' summary indexes. A second search will take care of displaying the results.
My saved search is the following:
[Index thruput A]
search = index=_internal source=*metrics.log group=per_index_thruput series = indexA | sitimechart span=1d sum(kb) by series
cron_schedule = 15 * * * *
action.summary_index = 1
enableSched = 1
dispatch.earliest_time = -1h@h
dispatch.latest_time = now@h
action.summary_index.name = summindexA
I copy/paste this stanza and just replace "A" by "B" for userB, C for userC, D for userD, etc...
The search displaying the results is:
[Log volume (last 30 days) A]
search = index=summindexA source="Index thruput A" | timechart span=1d sum(kb) as total_kb
dispatch.earliest_time = -30d
dispatch.latest_time = now
I get some results but they are wrong: for some reason, the first search appears to ignore dispatch.earliest_time and is not only summing results from the past hour but from the whole day.
Also I've noticed info_max_time is not present in the summary search results, meaning that checks for overlaps can probably not happen. Is it normal behavior of sitimechart ? (another sitimechart search appears to work the same way).
Update My syntax for the latest_time was wrong: "now@h" was invalid and I should have used "@h". Not sure this is the root cause of all the problems but it certainly didn't help to get the results right. I've updated the saved search and will investigate again if I now get more accurate results.
... View more
12-09-2013
06:00 AM
Little update:
1. I've implemented the first step described above by using standard "local.meta" configuration files. UI can probably be used too.
2. Be careful that customizing top elements of a view in Splunk 6 has been limited to only a few possibilities. We'll have to test if overriding these elements still works.
... View more
I've created a new role without rest_apps_management and rest_apps_view capabilities.
It works more or less because the users with such role are indeed unable to manage apps but I believe the UI should hide entirely the 'app' menu in this case otherwise users see the menu items but everytime they click, get the following message:
Fail: [HTTP 403] Client is not authorized to perform requested action; https://127.0.0.1:8089/servicesNS/a999901/launcher/data/modular-inputs?count=-1
Details: None
Is there any way to hide this menu for users with a specific role ?
... View more
12-05-2013
01:07 AM
Araitz, for some reason my entitlement (enterprise support) has been "lost" and I am now only allowed to open community cases. I'm trying to solve this issue first because it's critical to my business. Once I get enterprise support, the first case I'll open is about this problem.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
Thursday
|
Karma from
Karma given to
