Activity Feed
- Got Karma for Re: Slack Notification Alert: How can I get the message to use the resulting value from a saved search?. 07-08-2020 09:29 AM
- Karma Re: How do I restrict permission on a particular source inside of an index instead of from the whole index? for maciep. 06-05-2020 12:50 AM
- Posted Re: Slack Notification Alert: How can I get the message to use the resulting value from a saved search? on All Apps and Add-ons. 06-20-2019 02:12 AM
- Posted Tracking usage of data space of multiple directories for multiple hosts. on Deployment Architecture. 10-10-2018 11:18 PM
- Tagged Tracking usage of data space of multiple directories for multiple hosts. on Deployment Architecture. 10-10-2018 11:18 PM
- Tagged Tracking usage of data space of multiple directories for multiple hosts. on Deployment Architecture. 10-10-2018 11:18 PM
- Tagged Tracking usage of data space of multiple directories for multiple hosts. on Deployment Architecture. 10-10-2018 11:18 PM
- Posted Re: How do I restrict permission on a particular source inside of an index instead of from the whole index? on Splunk Enterprise Security. 10-10-2018 10:38 PM
- Posted How do I restrict permission on a particular source inside of an index instead of from the whole index? on Splunk Enterprise Security. 10-08-2018 01:49 AM
- Tagged How do I restrict permission on a particular source inside of an index instead of from the whole index? on Splunk Enterprise Security. 10-08-2018 01:49 AM
- Tagged How do I restrict permission on a particular source inside of an index instead of from the whole index? on Splunk Enterprise Security. 10-08-2018 01:49 AM
- Tagged How do I restrict permission on a particular source inside of an index instead of from the whole index? on Splunk Enterprise Security. 10-08-2018 01:49 AM
- Tagged How do I restrict permission on a particular source inside of an index instead of from the whole index? on Splunk Enterprise Security. 10-08-2018 01:49 AM
- Tagged How do I restrict permission on a particular source inside of an index instead of from the whole index? on Splunk Enterprise Security. 10-08-2018 01:49 AM
- Posted Why are users able to view data in index by directly clicking the search link even though they don't have permission on that index? on Splunk Enterprise Security. 10-05-2018 07:43 PM
- Tagged Why are users able to view data in index by directly clicking the search link even though they don't have permission on that index? on Splunk Enterprise Security. 10-05-2018 07:43 PM
- Tagged Why are users able to view data in index by directly clicking the search link even though they don't have permission on that index? on Splunk Enterprise Security. 10-05-2018 07:43 PM
- Tagged Why are users able to view data in index by directly clicking the search link even though they don't have permission on that index? on Splunk Enterprise Security. 10-05-2018 07:43 PM
- Posted Re: How to whitelist files in directory and not in subdirectories? on Getting Data In. 02-01-2018 05:36 AM
- Posted Re: How to whitelist files in directory and not in subdirectories? on Getting Data In. 02-01-2018 04:05 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
06-20-2019
02:12 AM
1 Karma
is there any other way to get all events? By selection "For each result" i am getting all messages but it results in large number of messages on slack channel ie. will get 10 messages on slack channel for 10 events. I am looking to get only one slack message containing all 10 events.
... View more
10-10-2018
11:18 PM
Hi
I want to track space usage of directories on multiple hosts eg:- /var/tmp so that I can check which directory/subdirectory is growing in space, any new directory created etc.. can you please suggest me the app which can help to achieve this?
... View more
10-10-2018
10:38 PM
I was able to do this by using search filter but I would suggest to get data in separate index and restrict permission on that instead of source level. Restricting permission at source level is very difficult to maintain in long run and is little complicated.
... View more
10-08-2018
01:49 AM
Hi
I have an index named "xyz" and inside that, I have data from different sources (a,b,c etc). I want to restrict permission on index=xyz source=a instead of the whole index. Is this possible to do? If yes, how can i do it?
please help.
... View more
10-05-2018
07:43 PM
We observed a security loophole in Splunk Enterprise Security. We have restricted permission on "Y" index in Splunk to "X" role participants only. Other members, except team X, are not able to view data in that index when they are running query (index="Y") but when someone from x team forwards the search link after running query index="Y" to other team, they are able to view data in that index. I believe the reason is when they share the search link they are sharing sid associated with that search, which is why security is bypassed.
Can someone please help us to understand why this is happening?
... View more
02-01-2018
05:36 AM
yes, this was already in mind. Just thinking instead of creating 3 separate model inputs, if it is possible to do using whitelist/blacklist in single input that would be great.
... View more
02-01-2018
04:05 AM
this is not working. Adding recursive = false will not pick logs in error and heartbeat directory.
... View more
02-01-2018
12:08 AM
There are chances that dev team can create directory similar to xyz with other name as well. so what change do I need to add in blacklist you mentioned?
... View more
01-31-2018
11:13 AM
Hi Guys
I am trying to pick logs having job-info.*log name in common directory and job-heartbeat.*logs from heartbeat sub directory and job-error .*log from error sub directory. I used the configuration below and it is working fine. The only issue that I am facing is job-info.*log files are also getting picked up when someone places these files in other sub directories (xyz in below case). I don't want these files to pick when they are placed in any sub-directories, These should be picked only when they are placed in the common directory. Please suggest changes in the whitelist.
[monitor:///abc/common/]
disabled = false
index = infra_job
whitelist = (job-info.*log|heartbeat/job-heartbeat.*log|error/job-error.*log)
directories structure
cd /abc/common/
files/directories under this directory (example)
error/
heartbeat/
xyz/job-info.*log ---- don't want these logs to pick
job-info1.log
job-info2.log
job-info3.log
Thanks in advance
... View more
01-11-2018
11:08 PM
I have a field in logs (PublishTime) which is different from _time. To display the same in splunk I have created a dropdown that shows the time [snip #1]. However, I want the dropdwon similar to what we have for _time [snip #2]. Is there any way to achieve below?
... View more
- Tags:
- dropdown
09-12-2017
02:49 AM
We had created alert to catch error in logs and gave permission to group(10-15 users) to edit alert but someone disabled alert due to which alert didn't trigger. Just wanted to check if there is any way to find user who had disabled alert?
... View more
