we have a 6 node SHC Want to use the deployer to push out authorise.conf so that we can manage the user/role/index access centrally. Looking for an example of how you control which index is seen by which user/role For example the role would look like [mail team] cumulativeRTSrchJobsQuota = 0 cumulativeSrchJobsQuota = 0 importRoles = user srchIndexesAllowed = mailgatewaylogs;maillogs;emailscanlogs srchMaxTime = 8640000 How do i specify users to have that have the mail team role ? user1:mail team user2:mail team user3:mail team Not been able to find any reference or example as to how best to set this configuration centrally. Thanks in advance   ... View more

hi, Looking to upgrade Splunk Enterprise from 7.2.4 to 7.3.3 and wanted to know is the CB Response app (ver 2.1.4) is compatible with Enterprise 7.3.3 Looking on Splunkbase it only does'nt mention version 7.3 at all. https://splunkbase.splunk.com/app/3336/ Does anyone know if CB Response version 2.1.4 does work on Splunk Enterprise 7.3.3 without any issues ? Thanks Paul ... View more

Hi all, I am running the below query, I get responses from some of my Splunk servers but not all ? | rest /services/server/info | eval LastStartupTime=strftime(startup_time, "%Y/%m/%d %H:%M:%S") | eval timenow=now() | eval daysup = round((timenow - startup_time) / 86400,0) | eval Uptime = tostring(daysup) + " Days" | table splunk_server LastStartupTime Uptime Is there anything I am missing on the servers that are not reporting back ? Cheers Paul ... View more

hi all, I have had a number of scheduled searches that failed, all returning the same errors. WARN : Eventtype 'xxxxxxxx' does not exist or is disabled. WARN : [INDEXER 1] Eventtype 'xxxxxxxx' does not exist or is disabled. WARN : [INDEXER 2] Eventtype 'xxxxxxxx' does not exist or is disabled. WARN : [INDEXER 3] Eventtype 'xxxxxxxx' does not exist or is disabled. WARN : [INDEXER 4] Eventtype 'xxxxxxxx' does not exist or is disabled. Could someone explain why the indexers were returning the errors when all eventtypes are located on the search heads ? cheers Paul ... View more

hi all, I have seperate drive for my hot/warm and cold data. The hot/warm drive is near capacity. Looking to find an easy way to calculate how much data each index will hold. One example index config set is as below 10955Mb ingest per day (10.9Gb) MazDataSize = 750mb (max size in MB for a hot bucket to reach before it rolls to warm) maxWarmDBCount = 436 (max number of warm buckets) maxtotalDataSize = 4328249mb (4328Gb) (maximum size of the index (in Mb) frozenTimePeriodinSecs = 34128000 (395days in seconds)(number of seconds after which indexed data rolls to frozen) overall retention = 395 (13months) overall warm in days = 30 I would like to know how i can work out what size this indexed data should take up on my hot/warm and cold drives. The split of the 4328Gb between the hot/warm & cold drives over 13months. Does anyone know how best to calculate this ? Cheers Paul ... View more