This has puzzled me too. Turned out, default connect parameters don't give you access to objects that are set to "private" by other users. To get that, you need to explicitly specify it with wildcard, which is "-". Put that in your ~/.splunkrc or manually set in connect() method. # Splunk host (default: localhost) host=HOSTNAMEHERE # Splunk admin port (default: 8089) port=8089 # Splunk username username=USERNAMEHERE # Splunk password password=PASSHERE # Access scheme (default: https) scheme=https # Your version of Splunk (default: 5.0) version=6.6.4 #app context app=- #owner wildcard owner=- After that, you should be able to see all objects. For example this should return all searches (global, app, user) from all apps: def main(): opts = parse(sys.argv[1:], {}, ".splunkrc") service = client.connect(**opts.kwargs) savedsearches = service.saved_searches for s in savedsearches: print s.name, s.access["owner"], s.access["sharing"] I hope it helps! ... View more

my bad. Thanks for clarification! ... View more

My understanding that his main question is: "How do i remove the 1st line of the event". But I may be wrong. I agree, it is not very clear. ... View more

Regular expression for your header. Since you have not provided sample for your data, i cannot tell exactly. You can use something like https://regex101.com/#python to help you write a regex. ... View more

I downvoted this post because it does not seems like it has anything to do with the question. why would you want your data without any column names? ... View more

It probably means that splunk does not see it as a header. Look at the props section about structured data FIELD_HEADER_REGEX = <regex> * A regular expression that specifies a pattern for prefixed headers. Note that the actual header starts after the pattern and it is not included in the header field. * This attribute supports the use of the special characters described above. HEADER_FIELD_LINE_NUMBER = <integer> * Tells Splunk the line number of the line within the file that contains the header fields. If set to 0, Splunk attempts to locate the header fields within the file automatically. * The default value is set to 0. http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf#Structured_Data_Header_Extraction_and_configuration ... View more

Of course I only have a small set for your data, but this seems to be working. The main challenge is to line break as you mentioned. Assuming that the first element of the json object is always the same ( in your case, it starts with "team", then this regex should work. LINE_BREAKER = (,*\s+){\s+"team" Once you have events breaking properly, the only thing you have left is to clean up opening and closing square brackets with SEDCMD. Finished Props looks like this: [answers] LINE_BREAKER = (,*\s+){\s+"team" TIME_PREFIX = regDate":\s" MAX_TIMESTAMP_LOOKAHEAD = 30 NO_BINARY_CHECK = true disabled = false KV_MODE = json SEDCMD-remove_opening = s/^\[//g SEDCMD-remove_cloing = s/\]$//g JSON_TRIM_BRACES_IN_ARRAY_NAMES = true I had a similar issue, but my json objects was wrapped yet in another json array. Same solution worked there too. As long as you can line break on the first field of the object - you should be fine. [ "Records": [ { "team" : "spirit", "coach": "matt", "regDate": "2016-07-31T12:23:34Z", }, { "team" : "chill", "coach": "bob" "regDate": "2016-08-01T12:15:19Z", } ] I also spoke with someone from Splunk and they do realize that json array is a common data structure nowadays and they do have an internal Jira task for it as a feature request. I hope it helps! ... View more

Yes, in POST arguments. collection="system.Default" earliest="-90d" taxii_username="user" taxii_password="pass" ... View more

Don't put a full path on the CertFile. This worked for me: [sslConfig] sslVersions = tls caCertFile = cacert.pem FYI: support also said that it is there by default in v2.1.4 of the SA-ldapsearch app. So if it does not work for you, you may try upgrading. ... View more

Love it. Great doc! ... View more

It was a firewall issue for me too. ... View more

That makes sense. Thanks Kristofer. ... View more

I agree, FS-ISAC feed it probably not the cleanest, however Soltra does not have more filtering functionality that Splunk does. If Splunk can handle other taxii feeds directly, why would FS-ISAC be different? You are pulling the exact same feed from Soltra that you are pulling from FS-ISAC, right? Or is there an ability on Soltra to filter it down to a different feed before it is digested by Splunk? ... View more

If ES can pull the Hail a TAXII.com feed directly, why can't it pull FS-ISAC feed too? Why is there a need for Soltra in the middle? The only obvious difference between hailataxxi and fs-isac is certificate that is required by fs-isac. Is it possible to implement it straight on ES without Soltra? ... View more