Has anybody figured out how to use a self-signed certificate without getting a warning that it's invalid? I can access Splunk anyway and it does in fact use my certificate, but for the long haul I would want there to be no annoying warnings. I followed these instructions exactly: https://docs.splunk.com/Documentation/Splunk/7.3.0/Security/Self-signcertificatesforSplunkWeb https://docs.splunk.com/Documentation/Splunk/7.3.0/Security/SecureSplunkWebusingasignedcertificate I imported the myCACertificate.pem into Chrome by the way. It's also a testing environment with no live feeds. ... View more

My search does not complete even after giving it an over hour. The progress bar is all the way at the end, and it tells me that 441,760 of 28,000,000 odd events have been matched, which is the correct number of results expected. But in the Statistics tab, only 4,226 results are displayed. When I stop the search, Splunk lets me know that the search failed due to an error. base_search1 | rename destination_ip as ip | append [search base_search2 | rename source_ip as ip ] | append [search base_search3 | rename source_ip as ip ] | append [search base_search4 | rename destination_ip as ip ] | dedup ip | table ip | sort 0 + ip | outputlookup ip.csv | lookup dnslookup clientip AS ip OUTPUTNEW clienthost AS ip_resolved | fillnull value="not found" ip_resolved | table ip, ip_resolved | outputlookup hosts.csv I have done the same search for a smaller dataset before which had 52,000 odd results of 28 million events and worked fine. Last time I made it work by ensuring I use sort 0, and edited limits.conf maxresultrows value to be 60,000. For the new search, even after increasing the maxresultrows value to 500,000 after my search first failed, it didn't work but returned 4,000 odd results instead of 2,000 odd results in my earlier attempt. However, the ip.csv is created correctly and contains all the values. Do I need to make any other conf file changes or something else? My limits.conf looks like this: [searchresults] maxresultrows = 500000 Maximum number of times to try in the atomic write operation (1 = no retries) tocsv_maxretry = 5 Retry period is 1/2 second (500 milliseconds) tocsv_retryperiod_ms = 500 ... View more

I have Dashboard #1 where a panel uses a dropdown for a timechart count by. Example values of that dropdown are src_ip and dst_ip. I can populate the text input for Destination IP (token=destination_ip) in Dashboard #2 using this drilldown on Dashboard #1's panel: form.destination_ip=$click.name2$ Is it possible to drilldown the correct field value in Dashboard #2 depending on what field is selected from the dropdown in Dashboard #1? For info, Dashboard #1 is used to look at one source for a summary, and Dashboard #2 looks at 2 sources so I can investigate correlations of more specific event groups once I see something insteresting in Dashboard #1. ... View more