I'm an occasional Splunk Enterprise user so forgive me if this is a noob question or has been answred before: We use Qualys to scan our systems daily for vunerabilties. As such, on things like web servers it generates a lot of logs entries as it scans endpoints. At times it might crawl a website for example generating a lot of failed requests as it creates ad-hoc GET requests to try and see what to can return from the site. As such, I have a requirment to build queries that exclude log entries with the scanners IP address therein. The thing is this IP (or rather IPs) are growing as we introduce slave nodes to scan our network. What I would like to do is the following: have our query creators use a token that is a list of the Qualys scanner IP addresses and use that as an exclusion in their search macros e.g. index=iis | c_ip NOT ($myglobaltoken)  The thing is though I want this token defined globally by the admin team so we can update the values in it and thus all queries (in different apps etc.) referencing it are updated thus.  Is this possible? ... View more

  I have Splunk 8.0.5: One cluster master One Search head Two indexers to host clustered indexes I would like to create a weekly report showing: License consumption per index, host, source, sourcetype License consumption per index and thereafter broken down per host, source, sourcetype Is there already some canned report for this (licensing dashboard?) or would anyone have a custom query? ... View more

I'm sure this is a noob question but here goes. I have used Splunk from the user perspective but now dipping my toes as an admin. I have Splunk 8.0.5: One cluster master One Search head Two indexers to host clustered indexes I am logged into the UI of the search head and have the admin role but I cannot do any of the following: View any of the clustered custom indexes View the licensing usage in the monitoring console I'm presuming this is because it need to logon to the UI of the master node for this in a clustered configuration? So when I try to do this with my account (LDAP) it fails. Is the auth.conf per node in the cluster or centralized?  ... View more

Hi guys, looking at the Splunk Dashboards app here. Just wondering if this is simply an app that makes it easier to generate custom HTMLor SimpleXML dashboards or it is utilizing a new framework for Dashboards ... View more

Hi guys, I'm a very intermittent user of Splunk Enterprise 8. I tend to build dashboards for a team to display on their floor and then walk away for 6 months until a new use case comes up. Recently had to do a migration of 200 forwarders from an old Splunk 6 instance to a new Splunk 8 one. I spent a huge amount of time checking with sysadmins what the role of various hosts was (i.e. what role the actual server was i.e. web server, DB server etc.). So my question is: - Can the hosts in Splunk be tagged with metadata to describe their function? ... View more

Guys, have one old Splunk 6.1.4 instance that I cannot decommission for a while (won't go into details 😐 ). I was looking at customizing the field colors some of my simple XML generated tables using the tables examples here https://splunkbase.splunk.com/app/1603/ but this example works only for single value fields and mine are multi-value. Anyone have an example for mutli-value fields? I'm a JavaScript noob! ... View more