I was looking more for a setting from a Splunk config. Managing Acls is along the same lines as having to manage permissions. Also, I have SunOS, AIX, & Linux to manage. I should have been more specific in my question. Thanks for the feedback though.
... View more
Typically you need a default group for that:
Add this to your outputs.conf
[tcpout]
defaultGroup=nothing
disabled = false
indexAndForward = true
http://docs.splunk.com/Documentation/Splunk/4.3.1/Deploy/Forwarddatatothird-partysystemsd
"Note: If you want to forward only the data specifically identified in props.conf and transforms.conf, set defaultGroup=nothing."
... View more
add to server.conf seems like a solution..
[license]
active_group = Forwarder
or use the gui in 4.2 to switch to free license:
login the UI, go to manager > licensing
change the license group to "free license"
restart
... View more
In 4.2 to switch to free license:
login the UI, go to manager > licensing
change the license group to "free license"
restart
I'm looking for cmdline way to do it still..
... View more
Splunk runs as root so it has access to monitor anything on the system without managing those permissions.
I ran this
find /opt/splunk/ -type d -exec chmod g+s {} \;
The files get created:
-rw------- 1 root splunk filename
I want to have it
-rw-rw---- 1 root splunk filename
Any ideas besides change the root user default umask?
... View more
After I got everything cleaned up from above and my *nix app deployment. I was able to get rid of the recover-padding entries after working with support.
I had to stop Splunk and delete *.data, .*manifest file(s) from /opt/splunk/var/lib/splunk/os/db
Then start Splunk..
I didn't have any .*manifest files but that cleared them up for me.
Also note it is NOT *.manifest.. It is .*manifest.
I validated that by looking in some of my other db dirs.
After the restart it rebuilt the *.data files.
They said if the above didn't work then I should
"run recover-metadata on all of your os index and identify the bad index"
But only if the above didn't work.
... View more
I think it might have happened because when I added ps.sh & top.sh to /opt/splunk/etc/deployment-apps/unix/local/inputs.conf I forgot to add them to /opt/splunk/etc/deployment-apps/unix/default/inputs.conf
I had removed the entries I didn't want at first. Anyways I put them back and deployed, but the recover-padding entries still didn't go away. Now i'm back to no ps.sh & top.sh but those darn recover-padding entries are all over even after a restart.
... View more
In using the *nix app, I had cpu.sh/iostat.sh/vmstat.sh and all was working fine across 300 rhel4/5 boxes.
I added in ps.sh & top.sh and now I have 219 recover-padding=# host entries.
recover-padding-[1-5] as sources & sourcetypes.
Why did this happen and how can I make them go away?
I noticed this question but I couldn't find a Hosts.metadata file.
http://answers.splunk.com/questions/10032/wierd-hosts-recover-padding-listed
... View more