here's what i feel is happening: First note that you might have more then just one savedsearches.conf file. The one that you are looking at is probably not the one that has the changes you submitted through splunkweb. Check under these folders for the savedsearches.conf that reflects the changes you did: /users/admin/search/local/savedsearches.conf or perhaps instead of admin use the user you usually login to splunk. /apps/search/local/savedsearches.conf if youre running splunk on a unix machine you could also try running (from the splunk/etc folder) : find . -name savedsearches.conf Usually, the changes should be instantaneous and you do not have to restart your server. Let me know if this helped. .gz ... View more

hmm you can try: ./splunk stop ./splunk clean all ./splunk start I believe when you do the above, it forgets about what files it has indexed and starts the indexing from the beginning. Let me know if this worked for you. Cheers, .gz (ps. make sure you are doing this from the forwarder...) ... View more

As far as i know (and the little test that i just concluded) there is no way to tell the role what metadata to show and what not to show. However, i believe what you are trying to achieve can be done by the following: Create a role that does not have access to the main index This role will have only these capabilities: change_own_password get_metadata get_typeahead list_inputs request_remote_tok rest_apps_view rest_properties_get rest_properties_set search This role will not inherit any other capabilities from any other role (ie. remove the user from the selected roles list) Create a user and assign it to this role Assign data that you want this role to see to the index that you specified for the role Logout from your admin user and login with the newly created user (belonging to the newly created role) Check to see if you see other metadata or if you only see the metadata that belong to this index. Here is my setup: Created an index called localping. used ping localhost > meta.test to get some sample logs. Created a new role called metadatatest and gave it the above capabilities and made localping the default index as well as the only index that this role can search Created a user called metauser with the metadatatest role. Logged in with this user and can only see info from the localping index. Here is a sample screenshot: Sources (1) Source | Total Count | Last Updated (desc) * /Users/gzaimi/meta.test | 1,283 Sourcetypes (1) Sourcetype | Total Count | Last Updated (desc) * test-too_small | 1,283 Hosts (1) Host | Total Count | Last Updated (desc) * localhost | 1,283 As you can see i can only see these instead of seeing a lot more data that i can usually see with the admin role. Hope this helped. .gz ... View more

Asking the dev's we understand that this is not the default behavior and that something is clearly broken in the code. The workaround, till this gets fixed, would be not to use file uploading as a means to bring data to splunk if you care for field extractions. If you use regular monitoring stanza, both index-time field extractions as well as header-checking field extractions happen without any issues. Cheers, .gz ... View more

So the issue of the driver signature has come up before. Im not too sure why it happens but one possibility is with 64bit machines and the driver not passing the signing. Another possibility is if you already have one instance of splunk running and the regmon is already being monitored. Since this is a light forwarder then you cannot use splunkweb to disable the monitoring. What is needed is to change this in the configuration files: Go to C:\Program Files\Splunk\etc\system\local\inputs.conf And add this: [script://$SPLUNK_HOME\bin\scripts\splunk-regmon.path] disabled = 1 Once done, a splunk restart is all that is needed. Cheers .gz ... View more

Yes. GFS are supported. The customer who submitted this question just needed to wait a few minutes for the indexing to pick up and populate within the search dashboard. If you are having issues with this, please check to make sure you have set up monitoring correctly and that splunk has rights to read those files. .gz ... View more

Derek, If i remember correctly this is a bug that Splunk developers are working on. If memory serves right, this does not interfere with your daily splunk usage and performance and you should not worry about it .gz ... View more

This is probably an instance of a known issue during an upgrade to 4.1.x. What is happening is that a file is not deleted while upgrading and a broken link is still showing in Manager. Confirm if you are seeing two links: 1 - Field Extractions 2 - Fields (and then field extractions within that link) If so the solution is simple: 1 - do not click on field extractions to extract fields, instead use the "FIELDS" link. 2 - Go to splunk/etc/apps/search/default/data/ui/manager and delete the file data_extractions.xml I believe you should not be able to see the "Field extractions" link anymore, and so, you will not have the issue. In the future, you need to make your field extractions in the Fields link. Hope this helps everyone out there! .gz ... View more

Can you check 2 things for me: 1) does a ./splunk restart splunkweb fix the hang? (or does it time out) 2) Can you run searches in CLI mode? I have definitely seen this issue come up, but am unsure if it is exactly the same issue or not, however, if the two above happen then we already have a fix for it. Contacting support would probably be the best way for you to get this issue troubleshooted further, and receive the new patch. Let me know on the above two conditions... Cheers, .gz ... View more