Your earlier H/W resources were less than the minimum requirements for ES. I think even after adding the ess_admin role, it wouldn't have worked. https://docs.splunk.com/Documentation/ES/6.1.1/Install/DeploymentPlanning ... View more

Yes, those are three separate steps, but I believe that you can combine them a bit. For example, this curl command should run authenticate and run a search, without creating a session. curl -u admin:changeme -k https://localhost:8089/services/search/jobs -d search="search *" This comes from the REST API tutorials: http://docs.splunk.com/Documentation/SplunkCloud/6.6.1/RESTTUT/RESTsearches The difficulty is that this command returns a search job id, not the actual search results. You need to make a second call (shown in the tutorial) to actually retrieve the results. If you use one the of SDKS (eg. Python or Java), you will see that they provide a "one shot" search as part of the SDK, which does do what you want. But I don't know how to do this with a single call to the REST API. ... View more

@rdagan Is there a version of Splunk add-on of Kafa out now to support kerberos authentication with Kafka? Thanks in advance Sven ... View more

Hi Mporath, Would you be able to update this app to work with Splunk version 7.1.1 If you don't have time you can perhaps give me some indication on how to go about updating it and I can attempt to do it. Thanks! ... View more

Same here... I suppose it's an issue with Linux limits.conf? ... View more

One event can have only one source type, think of it as a tag which gets added upon indexing. If you need the clear and the anonymized data, I would copy the data to a second index and anonymize the data during this copy. So you can create a role which has only access to this index, and thus only to the anonymized data. If it is not that important, you could create an app which does not show the clear data, create a restricted role for this app so it has access to this index, but can not execute any free from search. Then grant only this app to a certain role. But if one user has an additional role which allows access to the search app, then this user is able to search the index and see the clear data, something you probably don't want. ... View more

By default the transaction command calculates multivalue fields as distinct values only. You can set mvlist=eventtype though to disable this behaviour for that field. ... View more

thanks for your answer i have a last question on this app, when we start the collect script we retreive all the historical data. is it possible to retreive only the live log ? how can we do it ? thanks ... View more

hi i have the same issue i modified the both file event_codes.csv in the two application : Splunk_CiscoSecuritySuite/lookups + Splunk_CiscoFirewalls/lookups but nothing change ... View more

I just thought it may be worth pointing out that the mvrex command which is implemented by the SA-cim_validator app may be something worth taking a look at. While the command itself doesn't deal with lookups, values pulled back from lookups are send through this command on at least one of the dashboards: https://github.com/hire-vladimir/SA-cim_validator/blob/master/bin/mvrex.py Anyways, the combo of regex within lookups is pretty rare. Thought this may give some future readers some ideas to think about. ... View more