We have hundreds of saved searches/reports/alerts. I need the power users role to be able to edit and maintain them, but it seems that this permission isn't set by default. Is there a way to bulk set this and have all new reports inherit Power Users / Edit? ... View more

We have hundreds and hundreds of saved searches and dozens of Alerts. I need the power user role to be able to edit and modify all of them. Is there a way in bulk to ensure this role has permissions without opening and editing all individually? Ie some inheritance flag to be set that trickles down such that also by default all new saved searches will be accessible to this role? ... View more

Wondering if anyone has afterglow running in a windows environment on splunk 7x. I have perl installed and graphviz... but I keep getting an error: AfterGlow was not able to generate a graph. Please check the neato directory in the AfterGlow Setup. .conf looks like: [afterglow] disabled = 0 neato_path = C:\Program Files (x86)\Graphviz2.38\bin perl_path = C:\Perl64\bin errors in _internal are: 2018-04-10 14:01:58,141 ERROR [5acd0a253425c6bf216a0] AfterGlow:107 - command_used: "C:\Perl64\bin"\perl "E:\splunk\etc\apps\afterglow\appserver\modules\AfterGlow"\..\..\..\afterglow\afterglow.pl -c "E:\splunk\etc\apps\afterglow\appserver\modules\AfterGlow"\..\..\..\afterglow\sample.properties -a -e 1.2 | "C:\Program Files (x86)\Graphviz2.38\bin"\neato -Tgif -o "E:\splunk\etc\apps\afterglow\appserver\modules\AfterGlow"\..\..\static\afterglow1523386915.320.gif -Tcmapx -o "E:\splunk\etc\apps\afterglow\appserver\modules\AfterGlow"\..\..\static\afterglow1523386915.320.map 2018-04-10 14:01:58,009 INFO [5acd0a253425c6bf216a0] AfterGlow:83 - perl path: "C:\Perl64\bin"\perl 2018-04-10 14:01:58,009 INFO [5acd0a253425c6bf216a0] AfterGlow:82 - neato path: "C:\Program Files (x86)\Graphviz2.38\bin"\neato ... View more

| foreach p* [eval val='<>' | lookup wkst_risk_control asset_risk_position AS 'val'] I have 19 separate p extraction fields called p0-p18. I am looking to loop through each of the field names called p* and do a lookup of the name of the field itself from the lookup table wkst_risk_control to get the supplemental data. I am struggling and missing something. Is foreach the best way or is there a more elegant method? ... View more

The pipeline logic of this discrete math is kicking me hard today. I need to be able to find a list of laptops that are checking into inventory over the past 30 days from off-premise, but have not checked in from on-premise. I have a working search that gathers my entire inventory and looks up the client's address and returns subnet_descriptions. From that search I get ~100 results; anything unknown comes back as NONE where NONE means that it was off-premise . With this it is very easy to | where subnet_description = "NONE" but these results include machines that also checked in from on-premise in the same 30 days. I can | stats count by machinename and then | where count = 1 which would get me close, but it wouldn't tell me if that 1 location was also "NONE" and because stats truncates off the subnet_description, I cannot do a subsequent | where ... I can | stats count by machinename subnet_description but the count is then based upon the two criteria together and one machine gets multiple lines and again I can only filter on one. I need some ideas on how to get just the overlap in these searches and essentially do a | stats count(machinename) | where count machinename = 1 and subnet_description="NONE" Any brain checks would be greatly appreciated. ... View more

I have an input file that has lines like: 2/1/2016,10:21AM,8006529721,4,TOLL-FREE Splunk is accounting for the time correctly in AM/PM however the data_hour values are all being kept in the 12 hour format; so when plotting and selecting for instance out of business hours we don't get good results because we never get an hour value above 12. 1300 to 2400 are lost with the PM. Any ideas how to get hours back to a 24 hour clock? ... View more

Blacklisting works to blacklist a file or directory... but is there an easy way using blacklisting in inputs.conf to filter the input itself in real-time just like we would do from a Windows event log? To drop before indexing a Windows log, we would : blacklist1 = EventCode="46**" Message="Account\sName:.*[\S\s]*Account\sName:\s+[\S+]+[\$]" blacklist2 = EventCode="47**" Message="Logon\sAccount:.*[\S\s]*[dD]ocs_.*" Is there a way to do something similar with a regular file input like in an IIS log to drop everything that ends in a .*\.jpg|png ? I know we can do it through props.confs and transforms files, but it would sure be easier to understand and deploy if only in the inputs.conf. The Windows event log filtering works very very well and would love to keep the configs similar. ... View more