I need to forward data from a heavy forwarder to two different indexer clusters. One of the clusters needs to have a field removed. If I use sedcmd in props.conf on the HF it removes it for both and putting sedcmd in props.conf on one of the indexers doesn't work (it does work if i bypass the HF).  Is there a way to do this? Edit: I was thinking of using an intermediate forwarder so heavy forwarder -> another heavy forwarder -> indexer cluster but the intermediate heavy forwarder props.conf does not work. ... View more

I have a heavy forwarder that sends the same event to two different indexer cluster. Now this event has a new field "X" that I only want to see in one of the indexer clusters.  I know in the props.conf I can configure the sourcetype to do the removal of the field but that would be on the sourcetype level. Is there any way to remove it on one copy and not the other?  Alternatively I could do the props.conf change on the indexer level instead. ... View more

Is it possible to password protect emailed reports? ... View more

I am switching from local auth to saml authentication and when logging in, the username is now a random string. How do I get it to be the "nickname" or friendly name that is provided in the saml response? Is there a way to override the field in the saml stanza in the authentication.conf file? Changing the realName field in the authenticationResponseAttrMap_SAML stanza in the authentication.conf doesn't actually change the username. If it is not possible, how would I transfer knowledge objects to the "new" users. ... View more

I am migrating to using auth0 for SAML which authenticates with active directory for splunk. Currenlty splunk just uses active directory. I have the realName field set to the “nickname” attribute in the saml response which is the username but when I run searches or make dashboards/alerts it is assigned to the user_id attribute which is gibberish. I’m wondering how we can make the knowledge objects assigned to the friendly username instead of the user_id because I’m curious if a user will still be able to see their historical knowledge objects since the owner value is now different. Unless it is somehow mapped to it.  ... View more

Is it possible to store regex patterns in a lookup table so that it can be used in a search? For example lets say I have these following regexes like "(?<regex1>hello)" and "(?<regex2>world)".  My actual regexes are not simple word matches. I want to write another query that basically runs a bunch of regexes like  | rex field=data "regex1" | rex field=data "regex2" etc | makeresults 1 | eval data="Hello world" [| inputlookup regex.csv | streamstats count | strcat "| rex field=data \"" regex "\"" as regexstring | table regexstring | mvcombine regexstring]​ is it possible to use the subsearch to extract the regexes and then use them as commands in the main query? I was trying something like | makeresults 1 | eval data="Hello world" [| inputlookup regex.csv | streamstats count | strcat "| rex field=data \"" regex "\"" as regexstring | table regexstring | mvcombine regexstring]  so that the subsearch outputs the following  | rex field=data "(?<regex1>hello)" | rex field=data "(?<regex2>world)" ... View more

I have a single search head and configured the props.conf to have DATETIME_CONFIG = CURRENT as I want the data to be indexed at the time Splunk receives the report. I restarted splunk after every change. Previously I had it set to a field in the report. When I upload a csv and use the correct sourcetype it assigns the current time to the report. When I upload a report via curl through the HEC endpoint it indexes it to the right time. Same thing when I run it through a simple script. But when the test pipeline runs, it indexes data to the timestamp that is in the report even though it is using the same sourcetype as the other tests I did. Is it possible to add a time field that overrides the sourcetype config? Is there a way to see the actual api request in the splunk internal logs? ... View more

I can't seem to be able to set a variable or a token to the window parameter in the streamstats command.    | streamstats avg(count) as avg_count window=$window_token$ | eval c = 2 | streamstats avg(count) as avg_count window=c   I get the error saying the option value is not an integer. Seems it doesn't take the value of the variable/token. Is there any way to change the parameter dynamically? "Invalid option value. Expecting a 'non-negative integer' for option 'window'. Instead got 'c'." ... View more

Is it only possible to yield results in the generate command? If I run the simple command below it only yields the "hello" message in the generate() function even though generate() calls generate2(). import sys, time from splunklib.searchcommands import \ dispatch, GeneratingCommand, Configuration, Option, validators @Configuration() class GenerateHelloCommand(GeneratingCommand): count = Option(require=True, validate=validators.Integer()) def generate2(self): yield {'_time': time.time(), 'event_no': 2, '_raw': "hello 2"} def generate(self): self.generate2() yield {'_time': time.time(), 'event_no': 1, '_raw': "hello"} dispatch(GenerateHelloCommand, sys.argv, sys.stdin, sys.stdout, __name__)   ... View more

I have a search that gets the top users over a long periods of time . It also displays the most common field X value which can be any value. So it would be something like: index=some_index | stats count mode(field_X) by user | sort - count | head 10 That takes 30 seconds for 5 million events for 1 day of data. I want to run this for longer periods of time like a month or even longer. Is the best method to increase performance to just summary index the above example but just removing the top 10 part?  ... View more

For an adhoc search, users can click Job -> edit job settings and change read permissions to "everyone". How can I restrict users from being able to do this? ... View more

The splunk docs have this for the bubble chart format: <stats_command> <y-axis_field> <x-axis_field> <bubble_size_field> The UI displays this for the format of the bubble chart:  | stats x_value_aggregation y_value_aggregation size_aggregation  Why are the x and y values flipped? In my bubble chart for over 4 hours of data, it works where the x value is first. But if I change the time period to 15 minutes the x value is now the second data point. The first point is now not even the y axis. It is now displayed in the legend. The category I picked is no longer the legend. ... View more

I have a dashboard that shows a users dashboards and reports in the app. I can click the object I want and it will call a custom command that uses the REST api to make the permission change. This works fine with the command being invoked in a panel that is hidden until an object is selected. However when I implement a modal pop up that has the REST api call search defined and ran in a .js file, I sometimes get a 404 and 409 error when changing the objects permissions. But the objects' permissions are still successfully changed. Edit: I checked the internal log and when I run the custom command via the javascript file, it calls the REST API 3 times. Running it from a dashboard always runs it once. ... View more

Is it possible to control what API requests a role is allowed to make? For example can I only restrict a role to be able to see all saved searches servicesNS/-/-/saved/searches? ... View more

I have an app where users of different roles want to share their dashboards and reports with each other. However if I allow them to, they would be able to share their objects with everyone or all users.  Is there a way to only limit them the option to share it just to their own role? Alternatively I was thinking of using a custom command that has admin credentials to change the permissions but that would require hardcoding admin creds in the command. Is there a better way to store the admin credentials? I know I can't encrypt the passwords in storage/passwords because then I would need to allow the user to have that capability.  ... View more

Is it possible to limit a role to only have write access to an index?  For example I want a role to be able to do summary indexing via the collect command but I do not want them to have to be able to see what is in the index. ... View more