×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
matts1234
Engager
Member since: ‎08-23-2011
‎06-05-2020
Community Statistics
Posts 3
Solutions 1
Karma Given 0
Karma Received 3
Member Since ‎08-23-2011
Activity Feed
View All

Re: How do I stop forwarding the _audit index?

by in Getting Data In
‎07-06-2015 09:36 AM
‎07-06-2015 09:36 AM
You are most likely running into an issue with how Splunk deals with its whitelist and blacklist. Below are the default settings which are causing your conflict, pulled from: etc/system/default/outputs.conf [tcpout] ... forwardedindex.0.whitelist = .* forwardedindex.1.blacklist = _.* forwardedindex.2.whitelist = (_audit|_internal|_introspection) forwardedindex.filter.disable = false The rules above dictate: rule #1( forwardedindex.1.blacklist = .* ) does successfully block all indexes that begin with an ""; however, rule #2 ( forwardedindex.2.whitelist = (_audit|_internal|_introspection) ) then tells Splunk to overwrites rule #1 for those particular indexes. The easiest way to solve your issue would be to set your custom outputs.conf to one of the two below: Rewrite rule #2 to remove _audit: [tcpout] forwardedindex.2.whitelist = (_internal|_introspection) Add a new rule #3 re-enforcing the blacklist of _audit: [tcpout] forwardedindex.3.blacklist = _audit Either one of these should work. Cheers! ... View more

Re: How to delete searches in a Search Head Cluste...

by in Deployment Architecture
‎04-22-2016 01:16 PM
‎04-22-2016 01:16 PM
Is the only way for me to delete Searches to manually prune them from the configuration files before re-uploading it to the Deployer for distribution? Yes unfortunately this is the only supported way (for now?) Manually placing conf files on the search head cluster members local apps directory like other have suggested is not a supported way. Im not saying that people haven't done it and it seems to work, but no one from Splunk will tell you that its ok to do it that way ... View more

Re: Identfying the Search Terms Matched

by in Splunk Search
‎06-28-2016 09:07 PM
2 Karma
‎06-28-2016 09:07 PM
2 Karma
I know this is an old post but I too needed this exact same functionality. Being that none existed I created the matched command app--https://splunkbase.splunk.com/app/3209/. The app supplies just one command - matched - and can be used like so: * [|inputlookup ransomware_variants|rename variant as search|format]|table _time _raw|matched csv="/opt/splunk/etc/system/lookups/ransomware_variants.csv" Hopefully it helps someone else out with the same problem. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:03 AM
Karma from