Activity Feed
- Got Karma for Updates to InfoSec App for Splunk?. 08-05-2024 02:19 PM
- Got Karma for Re: Issues with search head members pushing configs to captain. 06-28-2024 12:40 PM
- Got Karma for Re: How to upgrade Mongo in Splunk 9.0.0?. 10-07-2023 02:29 AM
- Posted Re: storing data from dbxquery fails with "unable to process Record" on Getting Data In. 09-13-2023 01:22 PM
- Posted Re: Capability to add asset to app on All Apps and Add-ons. 08-17-2023 02:30 PM
- Karma Re: Capability to add asset to app for VatsalJagani. 07-25-2023 06:50 AM
- Posted Re: Capability to add asset to app on All Apps and Add-ons. 07-24-2023 09:04 PM
- Karma Re: Capability to add asset to app for VatsalJagani. 07-24-2023 09:04 PM
- Posted Re: How to upgrade Mongo in Splunk 9.0.0? on Installation. 07-18-2023 09:06 AM
- Posted Is there capability to add asset to app? on All Apps and Add-ons. 07-12-2023 08:24 AM
- Tagged Is there capability to add asset to app? on All Apps and Add-ons. 07-12-2023 08:24 AM
- Karma Re: How to resolve issues with mongod startup such as "Failed to start KV Store process" error? for jotne. 07-10-2023 12:04 PM
- Posted Re: What capability is required for users to be able to use "add asset" function of a particular app? on All Apps and Add-ons. 07-06-2023 03:50 PM
- Got Karma for Re: How to upgrade Mongo in Splunk 9.0.0?. 06-27-2023 12:05 AM
- Posted Updates to InfoSec App for Splunk? on All Apps and Add-ons. 06-22-2023 02:16 PM
- Tagged Updates to InfoSec App for Splunk? on All Apps and Add-ons. 06-22-2023 02:16 PM
- Karma Re: Why can I edit another users KO's but can't edit permissions to KO's owned by another user? for isoutamo. 05-30-2023 05:19 AM
- Posted Why can I edit another users KO's but can't edit permissions to KO's owned by another user? on Knowledge Management. 05-24-2023 07:40 AM
- Tagged Why can I edit another users KO's but can't edit permissions to KO's owned by another user? on Knowledge Management. 05-24-2023 07:40 AM
- Got Karma for Re: How to upgrade Mongo in Splunk 9.0.0?. 05-02-2023 11:47 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 |
09-13-2023
01:22 PM
Were you able to find a solution for this?
... View more
08-17-2023
02:30 PM
Back to the drawing board, we upgraded to 9.0.5 and app owners can no longer upload assets Double checked that the edit_local_apps was still selected Any help would be appreciated!
... View more
07-12-2023
08:24 AM
As a Splunk admin I am able to add a js file to a customers app via "Edit Properties" of the app and then "Upload asset" however the application owners don't have permission, they can however create other knowledge objects, lookups, alerts, etc. Which capability turns the feature "Upload asset" off/on or is there a setting that we've turned on that blocks it? We may have it disabled or blocking it for security purposes but would like to turn it on in our development environment for our customers doing content development. Thanks!
... View more
Labels
- Labels:
-
configuration
07-06-2023
03:50 PM
As a Splunk admin I am able to add a js file to a customers app via "Edit Properties" of the app and then "Upload asset" however the application owners don't have permission, they can however created other knowledge objects, lookups, alerts, etc. Which capability turns this feature "Upload asset" off/on? We may have it disabled for security purposes but would like to know which capability it is. Thanks!
... View more
06-22-2023
02:16 PM
1 Karma
We are looking at utilizing the "InfoSec App for Splunk" however the last version is from June of 2021 (two years ago). Has this app been superseded by another or is there a different long term plan for the app? Just wanting to know if we should continue down this path or another path. Thanks!
... View more
Labels
- Labels:
-
installation
05-24-2023
07:40 AM
Is it expected behavior when a user has write capability to another users knowledge object and the app, that write capability does not include "Edit Permissions" capability to that object?
Users have the ability to edit objects that they are not the owner of but don't have the ability to edit the permissions of the objects they are not the owner of. They can only edit permissions of objects that they own.
We can see the users are in the role that has write permissions to the object as well as write permissions to the app, the objects in the app aren't private, but for saved searches the dropdown in the Edit menu, the "Edit Permissions" option does not appear. The Edit Permissions option only seems to appear for the owner of the object. For lookups owned by another user, Permissions can be seen by others with write capability to the object but are greyed out and unable to modify the permissions.
We've verified that the user can edit the object by modifying a savedsearch or lookup and clicking on save, and subsequently seeing the change afterwards. Write permissions seems to exist for objects owned by another user but not the ability to modify the permissions to those objects.
This occurs on multiple search centers.
... View more
Labels
- Labels:
-
permissions
03-16-2023
08:58 AM
The closest document I could find to an Operating System to Universal Forwarder version compatibility is the download site (link below), is there another link that can be used?
https://www.splunk.com/en_us/download/previous-releases-universal-forwarder.html
... View more
Labels
- Labels:
-
universal forwarder
03-09-2023
03:06 PM
Its a new field in splunk show kvstore-status --verbose but I don't recall what version of either the kvstore or Splunk that it was introduced
... View more
01-16-2023
09:38 AM
2 Karma
We were prevented from migrating to the new engine: wiredTiger when we didn't have enough storage, once we cleaned up some disk space we were able to go back and run this after the upgrade to 9.x: splunk migrate migrate-kvstore (for standalone nodes), you'll get a message like this if you run it manually: ERROR: Not enough space to upgrade KVStore, you will need requiredBytes=102776856576 bytes, but KV Store DB filesystem only has availableBytes=32339398656 We also completed the migration manually of some kvstores to the new wiredTiger engine but forgot to remove the storageEngineMigration=true line from the server.conf, also run a btool and make sure you don't have the engine hardcoded: splunk btool server list --debug |grep -i engine, wiredTiger is the default in 9.x A helpful doc: https://docs.splunk.com/Documentation/Splunk/9.0.3/Admin/MigrateKVstore [splunk@ ~]$ splunk show kvstore-status --verbose |grep -i engine storageEngine : wiredTiger [splunk@~]$ If the engine is set to mmapv1 it won't be able to upgrade to 4.2
... View more
11-02-2022
06:40 AM
We have created an experiment in MLTK and published a model for it, is there a way other viewers can see the experiment? Everyone seems to be able to see only their own experiments when navigating to the experiments tab. I would have expected to see a Permissions option in the Manage drop down menu.
... View more
Labels
- Labels:
-
administration
09-15-2022
09:27 AM
We are planning to upgrade ES from 6.6.2 to 7.0.1, one of the new features will have a pop up window indicating that a new Content Update version is available and allows for the option to upgrade to the new version. We'd like to suppress this pop up and/or prevent the update through the UI. Would either of the below two settings prevent the pop up? If we can't suppress the pop up will either of the below two settings help prevent the update from occurring? web.conf: Setting 'updateCheckerBaseURL' to 0 stops Splunk Web from pinging Splunk.com for new versions of Splunk software. app.conf: Setting 'check_for_updates' to 0, this setting determines whether Splunk Enterprise checks Splunkbase for updates to this app. https://docs.splunk.com/Documentation/ES/7.0.0/RN/Enhancements Automated updates for the Splunk ES Content Update (ESCU) app When new security content is available, the update process is built into Splunk Enterprise Security so that ES admins always have the latest security content from the Splunk Security Research Team.
... View more
Labels
- Labels:
-
administration
-
upgrade
09-14-2022
11:16 AM
Newbie to partial_fit, good to know we should have been doing this all along for partial_fit!
... View more
09-07-2022
07:40 AM
1 Karma
We upgraded Splunk Enterprise version 9.0.0 from 8.2.5 and it did the upgrade of mongodb as part of the upgrade process, make sure you have enough disk space. You can also do the upgrade beforehand. If you are on version 3.6 it will do a hop to 4.0 before the final upgrade to 4.2. Check the version in use here: splunk show kvstore-status --verbose |grep serverVersion. It freed up tons of disk space for us after the upgrade, helps a lot if you have large kvstores.
... View more
06-29-2022
12:58 PM
11 Karma
We were able to upgrade mongo via the migrate command, thought it was only for the engine: [splunk@ ~]$ splunk migrate migrate-kvstore [App Key Value Store migration] Starting migrate-kvstore. [App Key Value Store migration] Checking if migration is needed. Upgrade type 2. This can take up to 600seconds. [App Key Value Store migration] Migration is not required. Created version file path=/opt/splunk/var/run/splunk/kvstore_upgrade/versionFile42 Finished standalone KVStore update, stop_time="2022-06-29 13:41:29". [splunk@ ~]$ [splunk@ ~]$ splunk show kvstore-status --verbose |grep serverVersion serverVersion : 4.2.17 [splunk@ ~]$
... View more
06-24-2022
09:16 AM
1 Karma
https://docs.splunk.com/Documentation/Splunk/9.0.0/Admin/MigrateKVstore#Upgrade_KV_store_server_to_version_4.2 Upgraded Splunk Enterprise version 9.0.0 from 8.2.5
Looking to see how to upgrade mongo from 4.0 to 4.2 on a single instance deployment. During the Splunk Enterprise upgrade the migration to wiredTiger failed due to lack of disk space, the upgrade still continued and made the first hop of the mongo upgrade from version 3.6 to 4.0, it looks like after version 4.0 it tried to do the engine migration but couldn't because the lack of available disk space and therefore didn't do the last hop to version 4.2 of mongo. We have since fixed the disk space issue and were able to complete the engine migration to wiredTiger, however don't know how to bump up the mongo version to 4.2. The above link is for upgrading mongo in a cluster but not on a single instance, when looking at the options in splunk help kvstore I don't see anything for upgrading mongo either for a single instance, tried splunk start-shcluster-upgrade kvstore -version 4.2 -isDryRun true but of course it detected it wasn't a searchhead cluster. Lastly trying to understand the difference in the output of mongo versionsbetween kvstore-status command versus splunk cmd mongod -version, clearly pulling from two different places. [App Key Value Store migration] Starting migrate-kvstore. Created version file path=/opt/splunk/var/run/splunk/kvstore_upgrade/versionFile36 Started standalone KVStore update, start_time="2022-06-22 15:21:46". [App Key Value Store migration] Checking if migration is needed. Upgrade type 1. This can take up to 600seconds. [App Key Value Store migration] Migration is not required. Created version file path=/opt/splunk/var/run/splunk/kvstore_upgrade/versionFile40 Not enough space to upgrade KVStore (or backup). You will need requiredBytes=3107201024 bytes, but KV Store DB filesystem only has availableBytes=2286272512 [App Key Value Store migration] Starting migrate-kvstore. [App Key Value Store migration] Storage Engine hasn't been migrated to wireTiger. Cannot upgrade to service(42)
[splunk ~/var/run/splunk/kvstore_upgrade]$ splunk show kvstore-status --verbose |grep serverVersion serverVersion : 4.0.24 [splunk ~/var/run/splunk/kvstore_upgrade]$
[splunk ~/var/run/splunk/kvstore_upgrade]$ splunk cmd mongod -version db version v4.2.17-linux-splunk-v3 git version: be089838c55d33b6f6039c4219896ee4a3cd704f OpenSSL version: OpenSSL 1.0.2zd-fips 15 Mar 2022 allocator: tcmalloc modules: none build environment: distmod: rhel62 distarch: x86_64 target_arch: x86_64 [splunk ~/var/run/splunk/kvstore_upgrade]$
... View more
Labels
- Labels:
-
upgrade
06-15-2022
10:58 AM
I ran this on a vanilla 8.2.5 system: [splunk~]$ splunk cmd mongod -version db version v3.6.17-linux-splunk-v4 git version: 226949cc252af265483afbf859b446590b09b098 OpenSSL version: OpenSSL 1.0.2za-fips 24 Aug 2021 allocator: tcmalloc modules: none build environment: distarch: x86_64 target_arch: x86_64 [splunk~]$
... View more
05-26-2022
10:50 AM
We were getting this error on one of our standalone search heads when trying to update the password of identities after a jre update, we noticed the jars/server.jar file didn't match with the other search centers, once we replaced that we were able to add identities and update existing ones.
... View more
10-18-2021
10:57 AM
Correct, the older version of polkit is what we discovered
... View more
09-13-2021
06:32 AM
1 Karma
We had the same issue, we looked in _internal and found that there was a large lookup: index=_internal sourcetype=splunkd "is having problems pushing configurations to the search head cluster captain" ERROR ConfReplicationThread [5001 ConfReplicationThread] - Error pushing configurations to captain=https://xxx.xxx.xx.xx:8089, consecutiveErrors=1678 msg="Error in acceptPush, uploading lookup_table_file="/apps/splunk/etc/apps/search/lookups/xxx.csv": Non-200 status_code=413: Content-Length of 5452600466 too large (maximum is 5000000000)": Search head cluster member (https://xxx.xxx.xx.xx:8089) is having problems pushing configurations to the search head cluster captain (https://xxx.xxx.xx.xx:8089). Changes on this member are not replicating to other members. The lookup was 5GB, we decreased the size of the lookup and the error no longer appeared on the monitoring console or in _internal
... View more
02-10-2021
02:39 PM
splunk@qasshd$ rpm -qa systemd systemd-219-78.el7_9.2.x86_64
... View more
02-10-2021
02:37 PM
splunk@qasshd$ rpm -qa polkit polkit-0.112-26.el7.x86_64 splunk@qasshd$
... View more
02-10-2021
02:31 PM
We upgraded to 8.1.2 and want to use workload manager, workload manager requires systemd. With 8.1.x you can allow the splunk user to stop/start the systemd splunk service, which works fine however it seems to be to broad of a configuration and also allows for stopping/starting other systemd services as well. Is there a way to lock down the polkit rule where it doesn't grant beyond the splunk service? I'll do more research on polkit to see if I can find a way but wondering if others have done this. sh-4.2$ sudo /apps/splunk/bin/splunk enable boot-start -systemd-managed 1 -create-polkit-rules 1 -user splunk CAUTION: The system has systemd version < 237 and polkit version > 105. With this combination, polkit rule created for this user will enable this user to manage all systemd services.Are you sure you want to continue [y/n]? y Systemd unit file installed at /etc/systemd/system/Splunkd.service. Polkit rules file installed at /etc/polkit-1/rules.d/10-Splunkd.rules. Configured as systemd managed service. sh-4.2$ sudo su - splunk splunk@qasshd$ systemctl stop amazon-ssm-agent.service splunk@qasshd$ systemctl status amazon-ssm-agent.service ● amazon-ssm-agent.service - amazon-ssm-agent Loaded: loaded (/etc/systemd/system/amazon-ssm-agent.service; enabled; vendor preset: disabled) Active: inactive (dead) since Wed 2021-02-10 22:19:39 UTC; 7s ago Process: 1130 ExecStart=/usr/bin/amazon-ssm-agent (code=exited, status=0/SUCCESS) Main PID: 1130 (code=exited, status=0/SUCCESS) splunk@qasshd$ systemctl start amazon-ssm-agent.service splunk@qasshd$ systemctl status amazon-ssm-agent.service ● amazon-ssm-agent.service - amazon-ssm-agent Loaded: loaded (/etc/systemd/system/amazon-ssm-agent.service; enabled; vendor preset: disabled) Active: active (running) since Wed 2021-02-10 22:19:55 UTC; 3s ago Main PID: 5087 (amazon-ssm-agen) Memory: 30.6M CGroup: /system.slice/amazon-ssm-agent.service ├─5087 /usr/bin/amazon-ssm-agent └─5101 /usr/bin/ssm-agent-worker splunk@qasshd$ This is our rules file: /etc/polkit-1/rules.d/10-Splunkd.rules polkit.addRule(function(action, subject) { if (action.id == "org.freedesktop.systemd1.manage-units" && subject.user == "splunk") { return polkit.Result.YES; } });
... View more
Labels
- Labels:
-
administration
12-10-2020
07:28 AM
We recently installed the Splunk app and add-on for Infrastructure and have found that the app is very similar to Analytics Workspace, will one eventually replace the other? Analytics Workspace comes with Splunk. What are the differences between the two? Outside of the entities and grouping entities I don't see many differences. Thanks...Alisa
... View more
