I have a single search head and configured the props.conf to have DATETIME_CONFIG = CURRENT as I want the data to be indexed at the time Splunk receives the report. I restarted splunk after every change. Previously I had it set to a field in the report. When I upload a csv and use the correct sourcetype it assigns the current time to the report. When I upload a report via curl through the HEC endpoint it indexes it to the right time. Same thing when I run it through a simple script. But when the test pipeline runs, it indexes data to the timestamp that is in the report even though it is using the same sourcetype as the other tests I did. Is it possible to add a time field that overrides the sourcetype config? Is there a way to see the actual api request in the splunk internal logs? ... View more

I can't seem to be able to set a variable or a token to the window parameter in the streamstats command.    | streamstats avg(count) as avg_count window=$window_token$ | eval c = 2 | streamstats avg(count) as avg_count window=c   I get the error saying the option value is not an integer. Seems it doesn't take the value of the variable/token. Is there any way to change the parameter dynamically? "Invalid option value. Expecting a 'non-negative integer' for option 'window'. Instead got 'c'." ... View more

Is it only possible to yield results in the generate command? If I run the simple command below it only yields the "hello" message in the generate() function even though generate() calls generate2(). import sys, time from splunklib.searchcommands import \ dispatch, GeneratingCommand, Configuration, Option, validators @Configuration() class GenerateHelloCommand(GeneratingCommand): count = Option(require=True, validate=validators.Integer()) def generate2(self): yield {'_time': time.time(), 'event_no': 2, '_raw': "hello 2"} def generate(self): self.generate2() yield {'_time': time.time(), 'event_no': 1, '_raw': "hello"} dispatch(GenerateHelloCommand, sys.argv, sys.stdin, sys.stdout, __name__)   ... View more

I have a search that gets the top users over a long periods of time . It also displays the most common field X value which can be any value. So it would be something like: index=some_index | stats count mode(field_X) by user | sort - count | head 10 That takes 30 seconds for 5 million events for 1 day of data. I want to run this for longer periods of time like a month or even longer. Is the best method to increase performance to just summary index the above example but just removing the top 10 part?  ... View more

For an adhoc search, users can click Job -> edit job settings and change read permissions to "everyone". How can I restrict users from being able to do this? ... View more

The splunk docs have this for the bubble chart format: <stats_command> <y-axis_field> <x-axis_field> <bubble_size_field> The UI displays this for the format of the bubble chart:  | stats x_value_aggregation y_value_aggregation size_aggregation  Why are the x and y values flipped? In my bubble chart for over 4 hours of data, it works where the x value is first. But if I change the time period to 15 minutes the x value is now the second data point. The first point is now not even the y axis. It is now displayed in the legend. The category I picked is no longer the legend. ... View more

I have a dashboard that shows a users dashboards and reports in the app. I can click the object I want and it will call a custom command that uses the REST api to make the permission change. This works fine with the command being invoked in a panel that is hidden until an object is selected. However when I implement a modal pop up that has the REST api call search defined and ran in a .js file, I sometimes get a 404 and 409 error when changing the objects permissions. But the objects' permissions are still successfully changed. Edit: I checked the internal log and when I run the custom command via the javascript file, it calls the REST API 3 times. Running it from a dashboard always runs it once. ... View more

Is it possible to control what API requests a role is allowed to make? For example can I only restrict a role to be able to see all saved searches servicesNS/-/-/saved/searches? ... View more

I have an app where users of different roles want to share their dashboards and reports with each other. However if I allow them to, they would be able to share their objects with everyone or all users.  Is there a way to only limit them the option to share it just to their own role? Alternatively I was thinking of using a custom command that has admin credentials to change the permissions but that would require hardcoding admin creds in the command. Is there a better way to store the admin credentials? I know I can't encrypt the passwords in storage/passwords because then I would need to allow the user to have that capability.  ... View more

Is it possible to limit a role to only have write access to an index?  For example I want a role to be able to do summary indexing via the collect command but I do not want them to have to be able to see what is in the index. ... View more