Hi - I would like to monitor the status of a linux-based splunkd configured as a heavy forwarder from an external system (nagios, custom scripts, etc). The only visibility I'm aware of regarding the state of the daemon from the linux cli is 'splunk status splunkd' which just tells me if the daemon is running or not. Is there any way for splunkd to report, fer instance, how long its been running and the number of connections accepted in the last minutes ? Thanks, -Rob ... View more

Hi - My site has some standalone 6.2 search heads and recently implemented a new cluster of 6.6.1 search heads as well. I've enabled LDAP authentication, defined a default strategy, and mapped LDAP groups to roles on the cluster, but there are some puzzling differences between 6.2 stand-alone and 6.6.1 clustered that I'm hoping to learn more about. Specifically, there are a number of strategies (settings -> access controls -> authentication method -> LDAP strategies) listed that I didn't create and can't delete/clone/enable but seem to be related to my "default" strategy. Their names are: authenticaiton, cacheTiming,roleMap_default, secrets. And while I can create additional strategies, the only one I can "enable" is "default". I've tried these operations from all cluster members with the same results on all. I've read lots of docs about 6.6.1 search head clusters and LDAP authentication, but nothing I saw discussed automatically created strategies. Anyone got any pointers that'll help me understand this ? Thanks, -Rob ... View more

I use Splunk as an admin and most of my users are power users. Following a syntactically valid search, a list of matching events is available to the user (so far, so normal). When an event is expanded, there is an 'Event Actions' button that allows users to, among other things, view the raw event. Some of my users report that they don't have this button. Because we have a Gordian knot of LDAP and AD authentication mechanisms, overlapping and inherited roles, and opaque role-index mappings, i can't easily figure out what makes those particular users different from the rest. Question: Is it possible to construct a role that prevents the "Event Actions" button from being displayed ? ... View more

Hi - I have a working LDAP authentication/authorization configuration. There are no local users - all access is based on LDAP group membership and associated role definitions. A couple of our roles import "power" role. A couple of roles import other roles that import "power". There are multiple AD and OpenLDAP stores and some users are members of dozens of groups. Some of the LDAP groups import other LDAP groups (which a couple of "Answer" topics have indicated can be problematic). 1) I'd like guidance on constructing a query (preferably REST, but I'm not too fussy) that will show me which roles are importing "power" (or any other role or permssion, for that matter). Recursive would be icing on the cake. 2) Is there any equivalent of a "debug verbose" flag I can turn on in Splunk itself for authentication/authorization that will log all requests to and results from the LDAP servers ? I'm hoping for the equivalent of the "-d 1" flag for ldapsearch. Thanks, -Rob ... View more