×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
broccliman
Explorer
Member since: ‎07-14-2013
‎09-29-2020
Community Statistics
Posts 4
Solutions 0
Karma Given 1
Karma Received 1
Member Since ‎07-14-2013
Activity Feed
View All

Re: Linux file permissions for regularly overwritt...

by in Knowledge Management
‎09-29-2020 10:21 AM
‎09-29-2020 10:21 AM
For context, we have a user (and group) named splunk which runs our Splunk instance. The umask for this account is 0002 (u=rwx,g=rwx,o=rx). Observing default file permissions as the splunk user: [splunk@___ ~]$ touch foo && ls foo -l -rw-rw-r-- 1 splunk splunk 0 Sep 29 17:02 foo My assumption was there was some Splunk configuration controlling the file permissions of the lookup csv file, but based on your feedback it sounds like that's not the case. ... View more

Linux file permissions for regularly overwritten l...

by in Knowledge Management
‎09-29-2020 08:17 AM
‎09-29-2020 08:17 AM
I'm trying to better understand the relationship of a defined lookup in Splunk (8.0.1) and its file permissions when running on Linux. We have an app containing the following: A file-lookup definition, call it foo A lookup csv file, named foo.csv A scheduled saved search to modify the contents of foo lookup on some interval From observation, if the foo.csv file is given explicit permissions, say chmod 644, those permissions are preserved when appending to the csv file (| outputlookup append=true foo); however, the permissions are lost (reset to 600) when overwriting the csv file (| outputlookup append=false foo). Is there a way to preserve a lookup csv file's permissions in Linux when overwriting its contents through Splunk? ... View more
Labels

Re: Splunk 6.2.1 with Splunk PowerShell Resource K...

by in Getting Data In
‎02-19-2015 05:22 PM
‎02-19-2015 05:22 PM
Thanks for the response. Although this doesn't change my situation, you did answer my question - marking this as the answer. I would submit a PR, but my change lacks the context of the larger use of Invoke-HTTPPost ; I think its too narrow-sighted. Instead, we will move forward by implementing our own version of New-SplunkIndex using HTTP against the REST API. ... View more

Splunk 6.2.1 with Splunk PowerShell Resource Kit: ...

by in Getting Data In
‎02-18-2015 01:45 PM
1 Karma
‎02-18-2015 01:45 PM
1 Karma
Using Splunk Enterprise 6.2.1 along with the latest version of the splunk-reskit-powershell toolkit, I (and others on my team with local installations of Splunk Enterprise) are having trouble automating the creation of an index using New-SplunkIndex . The code looks something like this: Import-Module Splunk Disable-CertificateValidation Connect-Splunk -ComputerName $env:COMPUTERNAME -Protocol https -Port 8089 New-SplunkIndex -Name test The error message: Invoke-HTTPPost : Exception calling "GetResponse" with "0" argument(s): "The remote server returned an error: (400) Bad Request." Using verbose output, we get this response: <response> <messages> <msg type="ERROR"> In handler 'indexes': Argument "search" is not supported by this handler.</msg> </messages> </response> Digging into the verbose output, we can see the data being POST'ed to the Splunk endpoint: VERBOSE: [Invoke-HTTPPost] :: $PostString = search=&name=test We were able to dig into Splunk-Core.psm1, modify the Invoke-HttpPost function, and get past this error. We did so by essentially commenting out line 224. Based on our limited research, it seems like the core Invoke-HTTPPost method always includes a search value within message body being POST'ed; however, the REST endpoint for creating a new index rejects the search parameter. Is there a different way we should be using the toolkit to create an index, or is this a bug within the toolkit itself? ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎09-29-2020 06:35 PM
Karma from
View All
Karma given to
View All