This Worked for me as well.  No need to give admin_all_objects permission! Splunk V. 8.2.5 ... View more

D'oh! Thanks Damien! ... View more

I encountered this error after connecting LDAP. Splunk added the role "exchange-admin" to the admin profile, but this role did not exist. I created a role with the same name and the issue was resolved. ... View more

Do you have a blacklist1 and blacklist2 , too? I don't think blacklist3 will work without them. If you don't, then try this (escaping the dollar sign, too): blacklist1 = EventCode=4624 Security_ID="NULL SID" Security_ID="DOMAIN*\$" ... View more

Hi glancaster, Here there are two issues that why you was not able to display the custom attribute 1) custom attribute $customAttribute$ not available for the particular $cn$ 2) Admin account not have permission to display the custom attribute. it need to be specified in the ACL( access control list). here you have check what admin account you are using to connect the ldap then you have to change the ACL setting for the Admin account in the LDAP server. Thank you ... View more

I got this error whilst trying to disable the obsolete (according to Google Chrome) RSA key exchange ciphers by removing the "RSA+AESGCM:RSA+AES" from my cipherSuite. Upon investigating this issue, it seemed to be caused by the fact that out of the box, splunk cannot use the ECDH ciphers (ecdhCurves = ), so it always does a fallback to the ciphers with RSA as key exchange. But if you remove the RSA ciphers, there are no ciphers left for splunk to use, so it fails. By specifying "ecdhCurves = prime256v1,secp384r1,secp521r1" the ECDH ciphers can be used, and solves the problem. side-note; Using this in combination with the following config enables HSTS headers and Perfect Forward Secrecy: cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256; ecdhCurves = prime256v1,secp384r1,secp521r1 sendStictTransportSecurityHeader = true sslVersions = tls1.2 The above configuration is applicable to server.conf under [sslConfig] for the mgmt and kv store port, and in web.conf under [settings] for splunkweb. (The ciperSuite is taken form the Mozilla SSL Configuration Generator using the modern profile. Older browsers may not support this) ... View more

This worked exactly like I needed! Here is what I ended up with: index=audit host=search-* earliest=-90d latest=-1d |search search_id=scheduler* | timechart dc(search_id) AS SchedSearches span=1d| appendcols [search index=audit host=search-* earliest=-90d latest=-1d search_id=scheduler* user=* | bucket _time span=1d |stats count by _time, user |timechart avg(count) as "AVG Search Head Usage"] Do you know how I could ask to forget any users who did not have more than 5 searches that day? I tried adding in |stats count by user |search count > 5 but thats yielded no results. Cheers! ... View more

lguinn, thank you for the answer and it does help point to the proper way to handle this type of situation. This will take some evaluation of 'data size' compared to 'data age' but I suppose that is a good thing to be aware of in my environment. ... View more

Agreed. There's nothing you can do here other than to increase the amount of the time the file sticks around. ... View more

Is possible use | accum ? ... View more

The module should look something like this: <module name="HiddenSavedSearch" layoutPanel="panel_row5_col1"> <param name="savedSearch">_capsule_details_search</param> <param name="useHistory">True</param> You will just need your savedsearch to be scheduled on a regular basis to ensure it doesn't keep grabbing the old search data. ... View more

@glancaster: a couple things could happen: 1) Some dashboards may show odd results. For example, a panel may report on hosts with old anti-virus client versions that don't appear to exist (because they were host created by EventGen). 2) You may get some alerts from the correlation searches that are based on old EventGen data. The best practice is remove and re-install ES. If you aren't noticing anything strange and you are already using ES, then you may just want to stick with your current install. You'll probably be just fine. ... View more