×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
LOP22456
Explorer
Member since: ‎06-23-2025
‎08-08-2025
Community Statistics
Posts 7
Solutions 0
Karma Given 6
Karma Received 0
Member Since ‎06-23-2025
Activity Feed
View All

Re: Power User cannot share saved searches despite...

by in Splunk Search
‎08-08-2025 03:39 AM
‎08-08-2025 03:39 AM
This is the screenshot the user sent - just trying to share Read/Write with other xxx-power users and they don't have the permissions. ... View more

Re: Power User cannot share saved searches despite...

by in Splunk Search
‎08-08-2025 03:19 AM
‎08-08-2025 03:19 AM
Hi @livehybrid,   Thanks for your responses. Can confirm xxx-power has write access into the app: The user that is attempting to share these saved searches in an xxx-power user, so how would it be that only the xxx-admin user can share the search if it was created by xxx-power? ... View more

Power User cannot share saved searches despite hav...

by in Splunk Search
‎08-07-2025 08:51 AM
‎08-07-2025 08:51 AM
We have a search app that a group of users are working from. All of the users have power role and we have given the power role write permissions into the app. When they try to share some saved searches, they are getting this error:   User 'XXXX' with roles { XXX-power, XXX-user } cannot write: /nobody/XXX_Splunk_app/savedsearches/ Test { read : [ XXX-power, XXX-user ], write : [ XXX-admin ] }, export: app, owner: nobody, removable: no, modtime: 1754574650.678659000   From what I read online, once a user is given Write permissions into the App, they can share their KOs. Am I doing something wrong here or has this since changed?   ... View more
Labels

Re: Splunk local account SOX compliance

by in Security
‎06-26-2025 09:19 AM
‎06-26-2025 09:19 AM
Thank you, this is exactly what I need. ... View more

Splunk local account SOX compliance

by in Security
‎06-26-2025 08:53 AM
‎06-26-2025 08:53 AM
Hello, I have a request from a systems manager related to SOX controls. They are requesting information around the local Splunk account that is created when a UF is being installed (this is on a Linux machine). They are asking where the password is stored for this account/who has access to it, and what are the controls around it. They are requesting to make this account non-interactive - would this cause any problems? They would then have to go around to all 200+ UFs and do this, not sure how intuitive this would be. Has anyone encountered requests related to local Splunk UF accounts & SOX controls? ... View more
Labels

Re: Struggling to correctly parse JSON data

by in Getting Data In
‎06-24-2025 02:13 AM
‎06-24-2025 02:13 AM
thank you my friend that worked, most events are now being parsed properly - however I am still seeing some very large 200+ line events not getting parsed, with many of them being 257 lines? Any idea what could be causing these not to parse? ... View more

Struggling to correctly parse JSON data

by in Getting Data In
‎06-23-2025 08:31 AM
‎06-23-2025 08:31 AM
Hello, We have multiple fortigate devices forwarding to a logstash server that is storing all the device's logs in 1 file (I can't change this unfortunately). This is then forwarding to our HF, and then to Splunk Cloud. This then enters splunk with sometimes 20+ logs in a single event, and I can't get them to parse out into individual events by host. Below are samples of 2 logs, but in a single event there could be 20+ logs - I cannot get this to parse correctly out into each event per host (redact). {"log":{"syslog":{"priority":189}},"host":{"hostname":"redact"},"fgt":{"proto":"1","tz":"+0200","vpntype":"ipsecvpn","rcvdbyte":"3072","policyname":"MW","type":"traffic","identifier":"43776","trandisp":"noop","logid":"0001000014","srcintfrole":"undefined","policyid":"36","rcvdpkt":"3","vd":"root","duration":"180","dstintfrole":"undefined","dstip":"10.53.6.1","level":"notice","eventtime":"1750692044675283970","policytype":"policy","subtype":"local","srcip":"10.53.4.119","dstintf":"root","srcintf":"HUB1-VPN1","sessionid":"5612390","action":"accept","service":"PING","app":"PING","sentbyte":"3072","sentpkt":"3","dstcountry":"Reserved","poluuid":"cb0c79de-2400-51f0-7067-d28729f733cf","srccountry":"Reserved"},"timestamp":"2025-06-23T15:20:45Z","data_stream":{"namespace":"default","dataset":"fortinet.fortigate","type":"logs"},"@timestamp":"2025-06-23T15:20:45.000Z","type":"fortigate","logstash":{"hostname":"no_logstash_hostname"},"tags":["_grokparsefailure"],"@version":"1","system":{"syslog":{"version":"1"}},"event":{"created":"2025-06-23T15:20:45.563831683Z","original":"<189>1 2025-06-23T15:20:45Z redact - - - - eventtime=1750692044675283970 tz=\"+0200\" logid=\"0001000014\" type=\"traffic\" subtype=\"local\" level=\"notice\" vd=\"root\" srcip=10.53.4.119 identifier=43776 srcintf=\"redact\" srcintfrole=\"undefined\" dstip=10.53.6.1 dstintf=\"root\" dstintfrole=\"undefined\" srccountry=\"Reserved\" dstcountry=\"Reserved\" sessionid=5612390 proto=1 action=\"accept\" policyid=36 policytype=\"policy\" poluuid=\"cb0c79de-2400-51f0-7067-d28729f733cf\" policyname=\"MW\" service=\"PING\" trandisp=\"noop\" app=\"PING\" duration=180 sentbyte=3072 rcvdbyte=3072 sentpkt=3 rcvdpkt=3 vpntype=\"ipsecvpn\""},"observer":{"ip":"10.53.12.113"}} {"log":{"syslog":{"priority":189}},"host":{"hostname":"redact"},"fgt":{"proto":"1","tz":"+0200","rcvdbyte":"3072","policyname":"redact (ICMP)","type":"traffic","identifier":"43776","trandisp":"noop","logid":"0001000014","srcintfrole":"wan","policyid":"40","rcvdpkt":"3","vd":"root","duration":"180","dstintfrole":"undefined","dstip":"10.52.25.145","level":"notice","eventtime":"1750692044620716079","policytype":"policy","subtype":"local","srcip":"10.53.4.119","dstintf":"root","srcintf":"wan1","sessionid":"8441941","action":"accept","service":"PING","app":"PING","sentbyte":"3072","sentpkt":"3","dstcountry":"Reserved","poluuid":"813c45e0-3ad6-51f0-db42-8ec755725c23","srccountry":"Reserved"},"timestamp":"2025-06-23T15:20:45Z","data_stream":{"namespace":"default","dataset":"fortinet.fortigate","type":"logs"},"@timestamp":"2025-06-23T15:20:45.000Z","type":"fortigate","logstash":{"hostname":"no_logstash_hostname"},"tags":["_grokparsefailure"],"@version":"1","system":{"syslog":{"version":"1"}},"event":{"created":"2025-06-23T15:20:45.639474828Z","original":"<189>1 2025-06-23T15:20:45Z redact - - - - eventtime=1750692044620716079 tz=\"+0200\" logid=\"0001000014\" type=\"traffic\" subtype=\"local\" level=\"notice\" vd=\"root\" srcip=10.53.4.119 identifier=43776 srcintf=\"wan1\" srcintfrole=\"wan\" dstip=10.52.25.145 dstintf=\"root\" dstintfrole=\"undefined\" srccountry=\"Reserved\" dstcountry=\"Reserved\" sessionid=8441941 proto=1 action=\"accept\" policyid=40 policytype=\"policy\" poluuid=\"813c45e0-3ad6-51f0-db42-8ec755725c23\" policyname=\"redact (ICMP)\" service=\"PING\" trandisp=\"noop\" app=\"PING\" duration=180 sentbyte=3072 rcvdbyte=3072 sentpkt=3 rcvdpkt=3"},"observer":{"ip":"10.52.31.14"}}   I have edited props.conf to contain the following stanza, but still no luck:   [fortigate_log] SHOULD_LINEMERGE = false LINE_BREAKER = }(\s*)\{   Any direction on where to go from here?  ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎08-08-2025 03:17 AM
Karma given to
View All