cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
marone
Explorer
Member since: ‎05-12-2020
‎05-25-2021
Community Statistics
Posts 14
Solutions 0
Karma Given 2
Karma Received 0
Member Since ‎05-12-2020
Activity Feed
View All

Re: Why am I unable to browse for more apps?

by in Security
‎05-25-2021 01:07 AM
‎05-25-2021 01:07 AM
I had the same issue, for me I was using a vpn which splunk oculd not reach the right host, if oyu are using a vpn as well just disconnect from it and try again. Hope it will help someone! ... View more

When the end of support of SplunkJS

by in #Random
‎04-07-2021 03:16 AM
‎04-07-2021 03:16 AM
Greeting folks, I've read somewhere that SplunkJS will no longer be supported, instead, will be replaced by Splunk react, I don't remember where I read it but can someone confirm or deny such an information and refer me an official link please?  Happy splunking 🙂  ... View more

How to dynamically change cell color based on mult...

by in Dashboards & Visualizations
‎05-28-2020 11:21 AM
‎05-28-2020 11:21 AM
Hi, I have a multi-select input with user permissions to change cell color ( colorPalette ) based on values the user enters. Here is the creation of my multi-select input : <input type="multiselect" token="chosenAdmin" searchWhenChanged="true"> <label>field1</label> <fieldForLabel>user</fieldForLabel> <fieldForValue>user</fieldForValue> <search> <query>my query <earliest>0</earliest> <latest></latest> </search> <delimiter> </delimiter> </input> This is the color palette I tried: <format type="color" field="user"> <colorPalette type="expression">if (match(value, $chosenAdmin$),"#DC4E41", true())</colorPalette> </format> The $chosenAdmin$ token can contain 1 or more users. This changes the color of all cells of my "user" to red. Any idea how to solve this problem? ... View more
Labels

Re: retention policy on log files

by in Getting Data In
‎05-26-2020 05:17 AM
‎05-26-2020 05:17 AM
thanks i see what you mean ... View more

Re: retention policy on log files

by in Getting Data In
‎05-26-2020 03:39 AM
‎05-26-2020 03:39 AM
yes indeed, i was looking for a parameter in log-config.cfg like frozenTimePeriodInSecs but i guess there is not, instead of that configure frozenTimePeriodInSecs in indexes.conf plus reduce amount of file size for all log files will do the job for a good retention policy. Thanks for mentioning that most of logs files are ingested to _internal index ... View more

Re: retention policy on log files

by in Getting Data In
‎05-26-2020 03:29 AM
‎05-26-2020 03:29 AM
yes i saw the doc was looking for a parameter like frozenTimePeriodInSecs in indexes.conf, but i think decreasing maxFilesize and number of backup index plus configuring frozenTimePeriodInSecs for _internal will result to a good retention policy i guess ... View more

Re: retention policy on log files

by in Getting Data In
‎05-26-2020 02:29 AM
‎05-26-2020 02:29 AM
thanks for reply, i's true what you are saying but your answer is applied to bucket stored in $SPLUNK_HOME/var/lib/splunk , but the information wil still in log files who lives in SPLUNK_HOME/var/log as I said in my question, i want to apply retention policy on those logs (configure log-local.cfg if it's possible or another way), or applying retention policy as you said for index will automaitcally delete data from logs (aka from SPLUNK_HOME/var/log ) ? ... View more

Re: retention policy on log files

by in Getting Data In
‎05-26-2020 02:28 AM
‎05-26-2020 02:28 AM
thanks for reply, i's true what you are saying but your answer is applied to bucket stored in $SPLUNK_HOME/var/lib/splunk , but the information wil still in log files who lives in SPLUNK_HOME/var/log as I said in my question, i want to apply retention policy on those logs (configure log-local.cfg if it's possible or another way), or applying retention policy as you said for index will automaitcally delete data from logs (aka from SPLUNK_HOME/var/log ) ? ... View more

Re: retention policy on log files

by in Getting Data In
‎05-26-2020 02:18 AM
‎05-26-2020 02:18 AM
thanks for your comment, yes a typo error logs are in $SPLUNK_HOME/var/log and the log-local.cfg are in $SPLUNK_HOME/etc i modified it ... View more

retention policy on log files

by in Getting Data In
‎05-26-2020 01:46 AM
‎05-26-2020 01:46 AM
Hi, I want to implement retention policy on log files, in the doc https://docs.splunk.com/Documentation/Splunk/8.0.3/Troubleshooting/Enabledebuglogging they didn't mention such a configuration, there is only how to configure the maximum size of a log file (configuration of log-local.cfg), i want this configuration be applied to log files who live in SPLUNK_HOME/var/log , is there any workaround to do so ? ... View more
Labels

Re: Native Splunk Password Expiry Alert - Is it no...

by in Alerting
‎05-18-2020 10:12 AM
‎05-18-2020 10:12 AM
The alert is displayed when a user login (image above), you have to specify some parameters in the authentication.conf (https://docs.splunk.com/Documentation/Splunk/8.0.3/Admin/Authenticationconf), to do so : declare the stanza splunk_auth and modify the following keys : [splunk_auth] minPasswordLength = 8 minPasswordUppercase = 1 minPasswordLowercase = 1 minPasswordDigit = 1 minPasswordSpecial = 1 expirePasswordDays = 20 expireAlertDays = 42 expireUserAccounts = True forceWeakPasswordChange = True lockoutUsers = True lockoutMins = 30 lockoutAttempts = 3 enablePasswordHistory = True passwordHistoryCount = 5 ... View more

Re: Get failed login attempts from curl authentica...

by in Security
‎05-13-2020 01:45 AM
‎05-13-2020 01:45 AM
there is another workaround to get more information such as clientip, host, etc. by querying the api used in curl index=_internal uri="/services/auth/login" , the information is logged in splunkd_access.log, and for ui failure authentications in splunk web are logged in splunkd_ui_access.log ... View more

Re: Get failed login attempts from curl authentica...

by in Security
‎05-12-2020 08:03 AM
‎05-12-2020 08:03 AM
Thanks it's working, but can I get some information about who's trying to login like IP address, machine name, etc. ?? im just getting a simple event : 05-12-2020 16:18:08.790 +0200 WARN AuthenticationManagerSplunk - Login failed. Incorrect login for user: myUser ... View more

Get failed login attempts from curl authentication

by in Security
‎05-12-2020 07:31 AM
‎05-12-2020 07:31 AM
Hi I'm trying to get failed login from users who try to authenticate to Splunk using curl authentication, my command was curl -k https://localhost:8089/services/auth/login --data-urlencode username=myUser --data-urlencode password=myWrongPass and get an XML response saying that it's incorrect username or password, but when I enter valid credentials from this SPL search command : index="_audit" action="login attempt" curl I only get successful authentication not failed ones. I'm interested to get a list of all failed logins who used curl. Event result : Audit:[timestamp=05-12-2020 16:11:55.106, user=myuser, action=login attempt, info=succeeded reason=user-initiated useragent="curl/7.69.1" clientip=127.0.0.1 session=3a7b3720876a61c93d1584b2b8613fe1][n/a] ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎05-25-2021 04:28 AM
Karma given to
View All