Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About the_wolverine
the_wolverine
Champion
Member since:
01-14-2010
12-20-2022
Community Statistics
| Posts | 994 |
| Solutions | 187 |
| Karma Given | 1004 |
| Karma Received | 949 |
| Member Since | 01-14-2010 |
Activity Feed
- Got Karma for Re: Is there a way to accurately measure data model acceleration disk usage via Splunk?. 03-07-2023 11:51 PM
- Got Karma for Re: Question about "run as" (Owner or User ) for saved searches. Missing in version 7.. 01-20-2023 07:43 AM
- Karma Re: Why would Splunk NOT obey "dispatch.ttl" and delete results/artifacts early? for matthewhasty. 12-20-2022 01:19 PM
- Got Karma for Re: Autostart Splunk on boot. 12-09-2022 05:46 AM
- Got Karma for Re: Perform two lookups with same table and two different lookup fields?. 11-21-2022 04:47 AM
- Got Karma for Re: How to determine daily license usage in GB?. 11-08-2022 02:37 PM
- Karma Re: Can i assign a color to a string in a field if it is present in the field ? for varun99. 11-03-2022 09:57 AM
- Got Karma for Re: Getting error "Streamed search execute failed because: JournalSliceDirectory: Cannot seek to 0" when running a search. 10-01-2022 04:25 AM
- Got Karma for Re: Multiple SEDCMDs. 06-29-2022 11:41 AM
- Got Karma for Re: How to efficiently calculate max events per second (eps) by hour over long timeranges, like 30 days?. 05-31-2022 02:54 PM
- Got Karma for Splunk alert reply-to field doesn't exist?. 04-28-2022 02:13 PM
- Got Karma for BEWARE: srchFilter usage may negate each other in certain situation.. 04-28-2022 02:11 PM
- Got Karma for What is the correct earliest_time format for searches when programmatically querying Splunk?. 04-28-2022 02:07 PM
- Got Karma for Re: What is the correct earliest_time format for searches when programmatically querying Splunk?. 04-28-2022 02:07 PM
- Got Karma for Re: Is there any way to get Splunk to replicate Search History in a Search Head Cluster?. 04-28-2022 02:06 PM
- Got Karma for Re: Is there any way to get Splunk to replicate Search History in a Search Head Cluster?. 04-28-2022 02:05 PM
- Got Karma for Re: Is there a way to modify alert url $results.url$ in email alerts?. 04-28-2022 01:56 PM
- Got Karma for Is there a way to modify alert url $results.url$ in email alerts?. 04-28-2022 01:56 PM
- Got Karma for How to display the contents of a lookup file?. 04-28-2022 01:56 PM
- Got Karma for Re: Fastest way to count records per day. 04-28-2022 01:55 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
11-05-2019
11:10 AM
Very informative writeup. Thank you for taking the time. I'm awarding you points for your effort!
... View more
08-19-2019
11:05 AM
1 Karma
We're trying to track down high search load and having trouble figuring out how to id which dashboards are causing the high load due to searches. Audit logs provides the query which shows in-line searches with Sid containing "searchX", so 50 searches in a dashboard would launch searches with SID named search1 -> search50. How to trace those back to a dashboard?
... View more
05-17-2019
12:06 PM
As of version 6.x (and 7.x) the setting has been moved to the general stanza in user-prefs.conf:
[general]
default_namespace = search
... View more
05-17-2019
12:05 PM
Where does the setting go to set the default app to Search? In previous versions ..
user-prefs.conf:
[general_default]
default_namespace = search
would do it.
... View more
- Tags:
- splunk-enterprise
05-16-2019
06:52 PM
I know this is late but you could create a custom role that does not have the following capability:
accelerate_datamodel
... View more
01-31-2019
12:43 PM
In splunkd.log we see:
01-31-2019 12:38:03.683 -0800 INFO Archiver - Archiving large_file=/opt/splunk/etc/apps/search/lookups/large_lookup.csv of size_in_bytes=262621937 (exceeding threshold=52428800)
This is actually useful for finding out how large lookup files are. What is Splunk actually doing with it?
... View more
01-23-2019
08:48 PM
Did you know you could just do
| inputlookup Saved_Tests.csv where ID="$enter_saved_test_id$ | .... etc
I'm not sure but this may speed up your search, vs loading the entire lookup file and then whittling it down after.
... View more
01-17-2019
10:43 AM
2 Karma
The setting was never removed in version 7. After months of dealing with the loss and non-working solutions, I discovered on my own that it had been relocated to "Edit Permission". The search will always run as Owner if is scheduled (makes sense). When configured as a saved search (not scheduled), the owner can set "Run As" to Owner or User via the Edit Permission.
... View more
01-15-2019
05:32 PM
1 Karma
Confirmed that this works. Thank you.
Had a case open with Splunk for several years and no update. Disappointing.
... View more
11-14-2018
11:16 AM
Yes, however our users MUST be allowed to outputlookup. So cannot remove this capability.
... View more
11-14-2018
09:29 AM
Users are using outputcsv which generates the output on our filesystem which they cannot access as non-admins. How can we prevent them from using it (other than stating that fact).
It is dangerous since this output is generated in the same location as working files ($SPLUNK_HOME/var/run/...)
Reference: https://answers.splunk.com/answers/416877/will-csv-files-produced-by-the-outputcsv-command-b.html
outputlookup is allowed so we cannot remove output_file capability.
... View more
10-18-2018
06:04 PM
1 Karma
The solution is the save the search as a Report. Once you save it, you can go back in and edit it to see the option to enable Summary indexing. If you save it as an Alert, the summary indexing option is missing.
... View more
10-18-2018
05:59 PM
Yes they broke it again.
... View more
10-09-2018
11:25 AM
1 Karma
It looks like as of version 7, the user is no longer able to edit this setting (Run as Owner vs User). It has moved to Advanced Edit which may be available only to admins.
1 - Does run as "Owner" bypass index access security? Assuming the saved search is readable by a user, that user does not need access to the data to run the search and see results?
2 - Since the saved search is configured to run as "Owner", the Owner's quota will be consumed when the search is run?
The saved search spec describes this setting in:
https://docs.splunk.com/Documentation/Splunk/7.2/Admin/Savedsearchesconf (I believe there is no change for this particular feature since version 6.6)
... View more
08-23-2018
11:07 AM
Thanks but the example did not support an actual by-clause
index=_internal sourcetype=splunkd*
| stats count by sourcetype
| map search="search index=_internal sourcetype=$sourcetype$ | timechart count as $sourcetype$ | predict $sourcetype$"
| stats values(*) as * by _time
I need predict to support "timechart count as $sourcetype$ by host" for example.
... View more
08-17-2018
10:37 AM
1 Karma
Is there a way to split by using predict.
I can predict on a single factor, e.g.
| timechart span=1h max(values) as values | predict values
How about:
| timechart span=1h max(values) as values by user?
... View more
08-07-2018
04:11 PM
Interesting. I wonder if this is then a bug in a previous version that they didn't want to acknowledge as a bug but secretly fixed. It has happened.
... View more
07-25-2018
12:16 PM
instead of join, it may be more efficient to use lookup command. E.g.
index ="12345" sourcetype = "system_database" | lookup manual_db.csv deviceName | lookup manual_software_db.csv productFamily | lookup manual_software_db.csv | search swType=105 ...
Every subsearch is a search which needs to complete before Splunk can proceed to the next step so it is always a good idea to reduce the number of joins/subsearches wherever possible.
... View more
06-29-2018
12:52 PM
1 Karma
[serial_number]
INDEXED_VALUE=false
... View more
06-28-2018
11:37 AM
This broke for us after upgrading to version 7.0. It was previously also required in version 5.x. Looks like they changed it back in version 7.
... View more
