For anyone interested, there is an idea for this (current status is "Future Prospect"): https://ideas.splunk.com/ideas/EID-I-486.  ... View more

As I said earlier, I don't think this is possible. You could create an idea on ideas.splunk.com to have a "readonly-admin" role, but I am not sure if this is a very common request that will get many votes/attention. ... View more

This has been asked on the splunk-usergroups slack before. At that time (May 2022) the answer by Lizzy Li was "adding something in the UI to inspect the job is on the roadmap, but unfortunately not available at the exact moment". I'm not sure about the current status but the release notes do not mention anything so I'd assume it's not yet possible. ... View more

There is more than one way to do it. Since you mentioned csv already, let's use that. I'm going to assume it has two columns, uuid and client_id. You need your csv in Splunk for this of course - so either upload it or create it in Splunk if you haven't done so already. Next, I'd suggest you create a lookup definition for your csv file. Then, you'd use your lookup like this: index=this <your search finding UUIDs> | lookup your_lookup_definition uuid OUTPUT client_id | table _time client_id src_ip method (or whatever other fields you want) If this is something you always want for this type of data, you might want to consider an automatic lookup. That would make splunk implicitly run that | lookup command for all searches against e.g. this sourcetype, so you wouldn't need to have it in every SPL explicitly. ... View more

Well, have you read your error message? It says "No such file or directory", which indicates the tar file is either not in the same directory as you are in or the permissions might be off. You can verify that running ls -al to show the files in your current working directory and their permissions. This is not a Splunk issue. ... View more

It should not be a permission issue against the endpoint. You'll be able to run this search as any user: | rest splunk_server=local services/authentication/users But it'll only return what your roles permit you to see, i.e. only your own user or all users. ... View more

I don't think you can do this with permissions alone, as e.g. a call to services/authentication/users with | rest is also limited to your permissions and a "readonly" capability for users exists to my knowledge. Depending on your use case, you could collect the users in a summary index or a lookup and have your role search that instead (or better yet, as rich mentioned while I was typing, use a report running as owner!) ... View more

That's not a valid cron expression. For "every month 1st Saturday at 00:05 AM", I don't think that's possible with a single cron. You could schedule your search to run daily for a week, using this cron: 5 0 1-7 * * And then in your search you check what day of the week it is and only return results on saturday, like this: your existing search | eval day_of_week = strftime(now(), "%a") | where day_of_week = "Sat" It's not as pretty as what you brought, but it should result in your desired behavior. ... View more

Unfortunately, the links at the end of this post point to "depublished" conf talks, as Splunk for some reason does not keep old talks searchable from the .conf pages. There is an idea to fix this (https://ideas.splunk.com/ideas/PORTALSID-I-141) - feel free to upvote if you'd like, and @sloshburch maybe you can you link to the pdf directly instead? ... View more

The easy solution to this is the option "allowCustomValues" on a multiselect. With this, you can input custom values that can include a wildcard. <input type="multiselect" token="multi_tok"> <label>multi with custom values</label> <fieldForLabel>sourcetype</fieldForLabel> <fieldForValue>sourcetype</fieldForValue> <search> <query>| tstats count where index=_internal by sourcetype</query> <earliest>-60m@m</earliest> <latest>now</latest> </search> <allowCustomValues>true</allowCustomValues> </input>   ... View more

I see there are existing answers that handle the logic in a search in SPL. For the question asked, I would prefer to handle the logic on the dashboard. Here's how I'd do it:   <fieldset submitButton="false"> <input type="text" token="raw_tok"> <label>Search for something</label> <change> <condition match="match(value, &quot;^\\*$&quot;)"> <unset token="target"></unset> </condition> <condition value="*"> <set token="target">$value$</set> </condition> </change> </input> </fieldset> <row> <panel rejects="$target$"> <html> <p>Please use wildcards only after at least specifying part of a value, such as "something*"</p> </html> </panel> <panel depends="$target$"> <table> <search> <query>| makeresults | eval foo = "something_123" | search foo="$target$"</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </table> </panel> </row> In addition to keeping the logic on the dashboard, this will only create a search job when the condition is met, otherwise it would wait for the unset token to be filled. Using the dashboard eval logic also allows to e.g. check for a minimum input length or other conditions. More details in docs for eval and match. Obvious reminder that this is not a security feature, only a UI limitation on this dashboard - your users can of course still open a working search and change the SPL to search for "*", or not filter at all. ... View more

You should post more details about what "stopped working". Do you see any error messages on the console? Does your code error on loading, or on specific calls? Were you using any jquery methods that have been deprecated in 3.5? ... View more