Hi splunkers, is it possible to restrict indexaccess to specific appcontext? like a user has read access to app a and write access to app b app a has dashboards on index a inside app b has dashboards on index b but searching through index a is not allowed inside app b because we have built a firewall selfservice, where people can check if their connection get blocked by firewall and if so, they can open a ticket by one click. Now we encounter some usergroups that want to be able to search on their own in their own app. With this, they currently could freely search and analyse our firewall data beyond checking if their connection gets blocked or not. How can we achieve accesscontrol like this if its even possible? Thanks in advance! ... View more

Hi fellow splunkers, recently i deployed WinPrintMon inputs to our printserver, to check driver versions and found out that splunk falsly calculated modulus. Tested in Enterprise 9.3.2 and 9.4.0 in the calculated version i found out, that the revision of a driver differs from the printmanagement on that printserver directly. i calculate the revision like that: version % pow(2,16) In my case the calculation translates to 17171305019303231 % 65536 splunk calculates 25920 which isn't correct, it is 25919 ... View more

Hi there im currently at a search to get the usage of Indexes, so i have an overview which indexes gets used in searches and which indexes doesnt so i can speak with the usecase owner if the data is still needed and why it doesnt get used. Thats the current state of the search:   | rest "/services/data/indexes" | table title totalEventCount frozenTimePeriodInSecs | dedup title | append [search index=_audit sourcetype="audittrail" search_id="*" action=search earliest=-24h latest=now ``` Regex Extraction ``` | rex field=search max_match=0 "index\=\s*\"?(?<used_index>\S+)\"?" | rex field=search max_match=0 "\`(?<used_macro>\S+)\`" | rex field=search max_match=0 "eventtype\=\s*(?<used_evttype>\S+)" ``` Eventtype resolving ``` | mvexpand used_evttype | join type=left used_evttype [| rest "/services/saved/eventtypes" | table title search | stats values(search) as search by title | rename search as resolved_eventtype, title as used_evttype] | rex field=resolved_eventtype max_match=0 "eventtype\=\s*(?<nested_eventtype>\S+)" | mvexpand nested_eventtype | join type=left nested_eventtype [| rest "/services/saved/eventtypes" | table title search | stats values(search) as search by title | rename search as resolved_nested_eventtype, title as nested_eventtype] ``` Macro resolving ``` | mvexpand used_macro | join type=left used_macro [| rest "/servicesNS/-/-/admin/macros" count=0 | table title definition | stats values(definition) as definition by title | rename definition as resolved_macro, title as used_macro] | rex field=resolved_macro max_match=0 "\`(?<nested_macro>[^\`]+)\`" | mvexpand nested_macro | join type=left nested_macro [| rest "/servicesNS/-/-/admin/macros" count=0 | table title definition | stats values(definition) as definition by title | rename definition as resolved_nested_macro, title as nested_macro] | where like(resolved_nested_macro,"%index=%") OR isnull(resolved_nested_macro) ``` merge resolved stuff into one field ``` | foreach used* nested* [eval datasrc=mvdedup(if(<<FIELD>>!="",mvappend(datasrc, "<<FIELD>>"),datasrc))] | eval datasrc=mvfilter(!match(datasrc, "usedData")) | eval usedData = mvappend(used_index, if(!isnull(resolved_nested_eventtype),resolved_nested_eventtype, resolved_eventtype), if(!isnull(resolved_nested_macro),resolved_nested_macro, resolved_macro)) | eval usedData = mvdedup(usedData) | table app user action info search_id usedData datasrc | mvexpand usedData | eval usedData=replace(usedData, "\)","") | where !like(usedData, "`%`") AND !isnull(usedData) | rex field=usedData "index\=\s*\"?(?<usedData>[^\s\"]+)\"?" | eval usedData=replace(usedData, "\"","") | eval usedData=replace(usedData,"'","") | stats count by usedData ]    The search first gets the indexes via | rest with its eventcount and retentiontime. Then audittrail data gets appended and used Indexes, Macros and Eventtypes gets extracted from the searchstring and resolved (since some apps uses nested eventtypes/macros in my environment they get resolved twice). Still needs some sanitizing of the extracted used-indexes. that gives me a table like this (limited the table to splunkinternal indexes as example) title totalEventCount frozenTimePeriodInSecs count usedData _audit 771404957 188697600     _configtracker 717 2592000     _dsappevent 240 5184000     _dsclient 232 5184000     _dsphonehome 843820 604800     _internal 7039169453 15552000     _introspection 39100728 1209600     _telemetry 55990 63072000     _thefishbucket 0 2419200           22309 _*       1039 _audit       2 _configtracker       1340 _dsappevent       1017 _dsclient       1 _dsclient]       709 _dsphonehome       2089 _internal       117 _introspection       2 _metrics       2 _metrics_rollup       2 _telemetry       2 _thefishbucket But i didnt managed to merge the rows together so that i have count=1039 for _audit plus the 22309 from searches that uses all internal indexes  in one row for each index. ... View more

Hi there, i have a file monitoring stanza on a universal forwarder where i filter using transforms.conf to only get logentries i need, because the server writes logentries of multiple business processes into the same logfile. Now i need entries of another process with different ACL in a different index from that logfile but in our QS cluster while the first datainput still ingests into our PROD cluster So i have my inputs.conf [monitor://<path_to_logfile>] disabled = 0 index = <dataspecific index 1> sourcetype = <dataspecific sourcetype 1> a props.conf [<dataspecific sourcetype 1>] SHOULD_LINEMERGE = true BREAK_ONLY_BEFORE_DATE = true TRUNCATE = 1500 TIME_PREFIX = ^ MAX_TIMESTAMP_LOOKAHEAD = 20 TIME_FORMAT = [%y/%m/%d %H:%M:%S] TRANSFORMS-set = setnull, setparsing and a transforms.conf [setnull] REGEX = . DEST_KEY = queue FORMAT = nullQueue [setparsing] REGEX = (<specific regex>) DEST_KEY = queue FORMAT = indexQueue As standalone Stanza i would need the new input like this, with its own setparsing transforms [monitor://<path_to_logfile>] disabled = 0 index = <dataspecific index 2> sourcetype = <dataspecific sourcetype 2> _TCP_ROUTING = qs_cluster   to be honest i could just create a second stanza thats a little different and still reads the same file, but i dont want two tailreader on the same file. What possibilities do i have? Thanks in advance ... View more

Hi, i have a question on Authenticating to IDX Cluster Peer via REST. We have the following Environment: 3 IDX in Cluster 3 SH in Cluster 1 CM (License Manager, IDX Cluster Manager, Deployer & Deploymentserver) Our normal Authentication for Web is currently with LDAP. With my LDAP-User i can directly perform a GET request to an Indexer, but with a local User created over WebUI (tried local user in SHC and on CM) i cant perform any request to an indexer.  The WebUI is disabled on the Indexers and they dont have the LDAP Configuration as the Searchheads does. How does it come, that the Indexer know my LDAP User but not the locally created? And how can i let the indexers to get to know a locally on SH or CM created user? ... View more

Did the blacklist/whitelist got replaced by denylist/allowlist in Splunk 9? In some Blogs i read that Splunk 9 replaced blacklist with denylist? Or is blacklist still usable? In the Changelogs of Splunk 9 i didnt found any evidence for the change, but the Splexicon and some Blogs say something different. https://docs.splunk.com/Splexicon:Denylist https://www.splunk.com/en_us/blog/leadership/biased-language-has-no-place-in-tech-a-follow-up.html?locale=en_us Thanks for explanation 🙂 ... View more