Activity Feed
- Got Karma for Re: How do I reload authentication from CLI?. 01-17-2025 12:00 PM
- Got Karma for Re: Question about "run as" (Owner or User ) for saved searches. Missing in version 7.. 05-16-2024 05:58 AM
- Got Karma for Re: Someone else configured field extractions, but I would like to delete some of them. Where do I find them?. 01-18-2024 12:12 PM
- Got Karma for Re: What are the minimum capabilities needed to modify and push config change from Deployment Server?. 07-02-2023 01:36 AM
- Got Karma for Re: Is there a way to accurately measure data model acceleration disk usage via Splunk?. 03-07-2023 11:51 PM
- Got Karma for Re: Question about "run as" (Owner or User ) for saved searches. Missing in version 7.. 01-20-2023 07:43 AM
- Karma Re: Why would Splunk NOT obey "dispatch.ttl" and delete results/artifacts early? for matthewhasty. 12-20-2022 01:19 PM
- Got Karma for Re: Autostart Splunk on boot. 12-09-2022 05:46 AM
- Got Karma for Re: Perform two lookups with same table and two different lookup fields?. 11-21-2022 04:47 AM
- Got Karma for Re: How to determine daily license usage in GB?. 11-08-2022 02:37 PM
- Karma Re: Can i assign a color to a string in a field if it is present in the field ? for varun99. 11-03-2022 09:57 AM
- Got Karma for Re: Getting error "Streamed search execute failed because: JournalSliceDirectory: Cannot seek to 0" when running a search. 10-01-2022 04:25 AM
- Got Karma for Re: Multiple SEDCMDs. 06-29-2022 11:41 AM
- Got Karma for Re: How to efficiently calculate max events per second (eps) by hour over long timeranges, like 30 days?. 05-31-2022 02:54 PM
- Got Karma for Splunk alert reply-to field doesn't exist?. 04-28-2022 02:13 PM
- Got Karma for BEWARE: srchFilter usage may negate each other in certain situation.. 04-28-2022 02:11 PM
- Got Karma for What is the correct earliest_time format for searches when programmatically querying Splunk?. 04-28-2022 02:07 PM
- Got Karma for Re: What is the correct earliest_time format for searches when programmatically querying Splunk?. 04-28-2022 02:07 PM
- Got Karma for Re: Is there any way to get Splunk to replicate Search History in a Search Head Cluster?. 04-28-2022 02:06 PM
- Got Karma for Re: Is there any way to get Splunk to replicate Search History in a Search Head Cluster?. 04-28-2022 02:05 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
11-05-2019
11:10 AM
Very informative writeup. Thank you for taking the time. I'm awarding you points for your effort!
... View more
08-19-2019
11:05 AM
1 Karma
We're trying to track down high search load and having trouble figuring out how to id which dashboards are causing the high load due to searches. Audit logs provides the query which shows in-line searches with Sid containing "searchX", so 50 searches in a dashboard would launch searches with SID named search1 -> search50. How to trace those back to a dashboard?
... View more
05-17-2019
12:06 PM
As of version 6.x (and 7.x) the setting has been moved to the general stanza in user-prefs.conf:
[general]
default_namespace = search
... View more
05-17-2019
12:05 PM
Where does the setting go to set the default app to Search? In previous versions ..
user-prefs.conf:
[general_default]
default_namespace = search
would do it.
... View more
- Tags:
- splunk-enterprise
05-16-2019
06:52 PM
I know this is late but you could create a custom role that does not have the following capability:
accelerate_datamodel
... View more
01-31-2019
12:43 PM
In splunkd.log we see:
01-31-2019 12:38:03.683 -0800 INFO Archiver - Archiving large_file=/opt/splunk/etc/apps/search/lookups/large_lookup.csv of size_in_bytes=262621937 (exceeding threshold=52428800)
This is actually useful for finding out how large lookup files are. What is Splunk actually doing with it?
... View more
01-23-2019
08:48 PM
Did you know you could just do
| inputlookup Saved_Tests.csv where ID="$enter_saved_test_id$ | .... etc
I'm not sure but this may speed up your search, vs loading the entire lookup file and then whittling it down after.
... View more
01-17-2019
10:43 AM
3 Karma
The setting was never removed in version 7. After months of dealing with the loss and non-working solutions, I discovered on my own that it had been relocated to "Edit Permission". The search will always run as Owner if is scheduled (makes sense). When configured as a saved search (not scheduled), the owner can set "Run As" to Owner or User via the Edit Permission.
... View more
01-15-2019
05:32 PM
1 Karma
Confirmed that this works. Thank you.
Had a case open with Splunk for several years and no update. Disappointing.
... View more
11-14-2018
11:16 AM
Yes, however our users MUST be allowed to outputlookup. So cannot remove this capability.
... View more
11-14-2018
09:29 AM
Users are using outputcsv which generates the output on our filesystem which they cannot access as non-admins. How can we prevent them from using it (other than stating that fact).
It is dangerous since this output is generated in the same location as working files ($SPLUNK_HOME/var/run/...)
Reference: https://answers.splunk.com/answers/416877/will-csv-files-produced-by-the-outputcsv-command-b.html
outputlookup is allowed so we cannot remove output_file capability.
... View more
10-18-2018
06:04 PM
1 Karma
The solution is the save the search as a Report. Once you save it, you can go back in and edit it to see the option to enable Summary indexing. If you save it as an Alert, the summary indexing option is missing.
... View more
10-18-2018
05:59 PM
Yes they broke it again.
... View more
10-09-2018
11:25 AM
1 Karma
It looks like as of version 7, the user is no longer able to edit this setting (Run as Owner vs User). It has moved to Advanced Edit which may be available only to admins.
1 - Does run as "Owner" bypass index access security? Assuming the saved search is readable by a user, that user does not need access to the data to run the search and see results?
2 - Since the saved search is configured to run as "Owner", the Owner's quota will be consumed when the search is run?
The saved search spec describes this setting in:
https://docs.splunk.com/Documentation/Splunk/7.2/Admin/Savedsearchesconf (I believe there is no change for this particular feature since version 6.6)
... View more
08-23-2018
11:07 AM
Thanks but the example did not support an actual by-clause
index=_internal sourcetype=splunkd*
| stats count by sourcetype
| map search="search index=_internal sourcetype=$sourcetype$ | timechart count as $sourcetype$ | predict $sourcetype$"
| stats values(*) as * by _time
I need predict to support "timechart count as $sourcetype$ by host" for example.
... View more
08-17-2018
10:37 AM
1 Karma
Is there a way to split by using predict.
I can predict on a single factor, e.g.
| timechart span=1h max(values) as values | predict values
How about:
| timechart span=1h max(values) as values by user?
... View more
08-07-2018
04:11 PM
Interesting. I wonder if this is then a bug in a previous version that they didn't want to acknowledge as a bug but secretly fixed. It has happened.
... View more
07-25-2018
12:16 PM
instead of join, it may be more efficient to use lookup command. E.g.
index ="12345" sourcetype = "system_database" | lookup manual_db.csv deviceName | lookup manual_software_db.csv productFamily | lookup manual_software_db.csv | search swType=105 ...
Every subsearch is a search which needs to complete before Splunk can proceed to the next step so it is always a good idea to reduce the number of joins/subsearches wherever possible.
... View more
06-29-2018
12:52 PM
1 Karma
[serial_number]
INDEXED_VALUE=false
... View more
06-28-2018
11:37 AM
This broke for us after upgrading to version 7.0. It was previously also required in version 5.x. Looks like they changed it back in version 7.
... View more
06-28-2018
11:35 AM
Known bug (now) SPL-154382:
http://docs.splunk.com/Documentation/Splunk/7.0.4/ReleaseNotes/Knownissues
Looks like changes to capabilities required to be able to see this list of summary indexes. The role that is scheduling the search needs to include "indexes_edit" and "dispatch_rest_to_indexers" capabilities. Once this is configured, user should see the list of summary indexes.
... View more
06-28-2018
11:25 AM
I have legitimate objects that I don't want deleted. As well, I would prefer not to have to assign these to myself. Guess a dummy account could work here. But come on, Splunk ...
... View more
06-27-2018
03:28 PM
I've got a large number of orphaned objects that I'd like to clean up (delete). I don't see any way to do this in the UI:
Reassign Knowledge Objects view allows me to reassign (check a bunch of boxes) to myself. Once I do this, I can see the object in my list, however, I must go in one by one and click on Edit -> Select Delete.
Does anyone have a better/faster way to do this in version 7.0?
... View more
06-27-2018
10:34 AM
You don't need to use the regex command if the field extract already exists:
root search jsmith OR AccountName=jsmith
... View more
06-19-2018
12:52 PM
In version 6.6* and 7, it looks like the limit to table rows has been reduced to 10.
"Embedded reports do not have all the features of reports as viewed in Splunk Web. For example, embedded reports do not have drilldown functionality, support for workflow actions, table sorting, or field expansion. When embedded reports display table visualizations, those tables are limited to 10 rows. "
... View more
