Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About bwakely
bwakely
Explorer
Member since:
02-02-2012
06-18-2020
Community Statistics
| Posts | 7 |
| Solutions | 0 |
| Karma Given | 2 |
| Karma Received | 3 |
| Member Since | 02-02-2012 |
Activity Feed
- Karma Re: Delete Specific Key from KVSTORE for scoughlin1. 06-05-2020 12:50 AM
- Karma Re: Why are app icons only visible to users with the admin role? for manjunathmeti. 06-05-2020 12:47 AM
- Got Karma for Dashboard issues - search runs in search window, not in dashboard as an inline string.. 06-05-2020 12:47 AM
- Got Karma for Troubles with disk space / quotas / $SPLUNK_BASE/var/run/splunk/srtemp/. 06-05-2020 12:46 AM
- Got Karma for Troubles with disk space / quotas / $SPLUNK_BASE/var/run/splunk/srtemp/. 06-05-2020 12:46 AM
- Posted Re: Azure AD SSO to F5 SP on Getting Data In. 10-13-2019 03:50 PM
- Posted Dashboard issues - search runs in search window, not in dashboard as an inline string. on Dashboards & Visualizations. 04-09-2015 11:13 PM
- Tagged Dashboard issues - search runs in search window, not in dashboard as an inline string. on Dashboards & Visualizations. 04-09-2015 11:13 PM
- Tagged Dashboard issues - search runs in search window, not in dashboard as an inline string. on Dashboards & Visualizations. 04-09-2015 11:13 PM
- Tagged Dashboard issues - search runs in search window, not in dashboard as an inline string. on Dashboards & Visualizations. 04-09-2015 11:13 PM
- Posted Re: Splunk login page blank from outside after upgrade to 6.2 on Security. 11-13-2014 03:51 PM
- Posted Re: Splunk login page blank from outside after upgrade to 6.2 on Security. 11-09-2014 09:03 PM
- Posted Clean up deployment config: splitting serverclass.conf on Deployment Architecture. 10-17-2012 09:41 PM
- Tagged Clean up deployment config: splitting serverclass.conf on Deployment Architecture. 10-17-2012 09:41 PM
- Tagged Clean up deployment config: splitting serverclass.conf on Deployment Architecture. 10-17-2012 09:41 PM
- Tagged Clean up deployment config: splitting serverclass.conf on Deployment Architecture. 10-17-2012 09:41 PM
- Posted Re: Troubles with disk space / quotas / $SPLUNK_BASE/var/run/splunk/srtemp/ on Monitoring Splunk. 09-24-2012 09:01 PM
- Posted Troubles with disk space / quotas / $SPLUNK_BASE/var/run/splunk/srtemp/ on Monitoring Splunk. 06-20-2012 07:34 PM
- Tagged Troubles with disk space / quotas / $SPLUNK_BASE/var/run/splunk/srtemp/ on Monitoring Splunk. 06-20-2012 07:34 PM
- Tagged Troubles with disk space / quotas / $SPLUNK_BASE/var/run/splunk/srtemp/ on Monitoring Splunk. 06-20-2012 07:34 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 1 | |||
| 0 | |||
| 2 |
10-13-2019
03:50 PM
We're hitting the limit here,
we haven't resolved it yet, but this might be at least more info for anyone else coming across the issue...
Update via Splunk support:
The issue is an Enhancement Request : SPL-159073 is that if an Azure SSO user is a member of more than 150 groups a link is sent rather than the group details, and at present Splunk doesn't handle that link. We also encountered some cases where there are more than 100 groups, not 150 as indicated.
There's also a (draft as at time of support ticket) Splunk knowledge article support provided (reproduced with permission):
Title - Splunk - Azure SAML/SSO authentication error "saml response does not contain group information"
Summary - Instructions on how to avoid receiving the error "saml response does not contain group information" when connecting to Splunk with SAML via Azure configured.
Description: To ensure that the token size doesn't exceed HTTP header size limits, Azure AD limits the number of objectIds that it includes in a groups claim. If a user is member of more groups than the overage limit (150 for SAML tokens, 200 for JWT tokens), then Azure AD does not emit the groups claim in the token. Instead, it includes an overage claim in the token that indicates to the application to query the Graph API to retrieve the user's group membership.
How to Identify:
- Splunk is configured for SAML authentication with Azure AD as the Identity Provider
- You attempt to login to Splunk with an Azure AD user which is a member of a SAML group configured in Splunk, and a member of more than 150 Azure AD groups in total (including nested groups).
- You receive the error "saml response does not contain group information" when logging in to Splunk.
Investigation: Enhancement Requests: SPL-134770 SPL-159073
Resolution:
Option 1: Reduce the overall group membership for each connecting Azure AD user to less than 150.
Option 2: Use Azure Application Roles instead of Azure AD Groups for authorization:
Azure - Define the required Application Roles
Splunk - Update the SAML configuration "Role Alias" to use: http://schemas.microsoft.com/ws/2008/06/identity/claims/role
Splunk - Create SAML groups to match the Application Role names.
Related Links:
Using Application Roles: https://social.technet.microsoft.com/wiki/contents/articles/40055.azure-ad-application-roles-essentials.aspx
Details on Azure AD group sending behavior: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Azure-Active-Directory-now-with-Group-Claims-and-Application/ba-p/243862
--Benji
... View more
04-09-2015
11:13 PM
1 Karma
Greetings all,
I've set up the splunk DB connect app (v.117),
I can query an MSSQL database / explore schema.
I can run a search command, example:
|dbquery "MYDB" limit =1000 "select 1"
I cannot get any results returned when I embed this as an inline search into a dashboard panel.
Can someone explain why a saved search works while an inline search doesn't?
(I also can't get '|metatdata hosts' working as an inline string...)
--Benji
... View more
- Tags:
- dashboards
- dbx
- inline
11-13-2014
03:51 PM
...Yes. Yes, we did. Sorry, it had been a busy few days and it slipped my mind.
We're using F5 LTM, 11.5.1, hotfix 5
(Hotfix-BIGIP-11.5.1.5.0.147-HF5.iso)
We had set our virtual server to use an SSL certificate with SSLv3 explicitly enabled,
and F5 no longer offers that as an option.
Virtual server reconfigured to use SSL cert with SSLv3 disabled:
Local Traffic >> Virtual Servers : Virtual Server List >> vs_splunk.latrobe.edu.au_443
Switched the SSL certificate from the existing one to one with SSLv3 disabled.
Disabled SSLv3 in the SSL Certificate / client profile:
Profile >> SSL >> Client
In the SSL certificate profile in question,
select: "Configuration: Advanced"
In the 'ciphers' section, alter:
!EXPORT:!DH:!MD5:RSA+AES:RSA+3DES:RSA+RC4:ECDHE+AES:ECDHE+3DES:ECDHE+RSA:@SPEED
to
DEFAULT
Possibly relevant reading:
https://devcentral.f5.com/articles/cve-2014-3566-removing-sslv3-from-big-ip
https://support.f5.com/kb/en-us/solutions/public/15000/700/sol15702.html
See if that helps.
... View more
11-09-2014
09:03 PM
Hi John,
We had the same thing happen here - upgraded to 6.2 from 6.0.3,
restarted the search heads after upgrade,
and the page wouldn't render anything other than a background colour in a browser.
This effect happened when viewing the page through our F5 load-balancers (https/port 443),
it did not happen when viewing the back-end directly (http/port 8000)
yannK's answer to "Upgraded to 6 and the login page for splunk-web is broken"[2] helped - I:
deleted the contents of $SPLUNK_HOME/var/run/splunk/appserver/
restarted browser a few times
restarted the search head
and it eventually rendered properly every time.
--Benji
... View more
10-17-2012
09:41 PM
Greetings, all.
This isn't a big deal,
but is there some kind of #include directive you could use in, say, serverclass.conf?
Or can you have multiple serverclass.conf files stack up in the same way as some other splunk config files?
I can predict out serverclass.conf file becoming ... unwieldy.
I'd prefer to have a:
serverclass.conf:
#include serverclass-prd.conf
#include serverclass-qas.conf
#include serverclass-tst.conf
type arrangement.
--Benji
... View more
09-24-2012
09:01 PM
I think that we'll just have to go with:
Mount /var/ to a completely separate partition,
so it doesn't exhaust the root partition of the server.
It means we have to provide an extra $RESERVE (2Gb in our case) of unusable space on that partition - if it gets used up, splunk will stop indexing - but it's the lesser of the evils.
Thanks for speaking up.
--Benji
... View more
06-20-2012
07:34 PM
2 Karma
Greetings all,
Issue: Space on server exhausted, primarily in folder $SPLUNK_HOME/var/run/splunk/srtemp
Splunk version: v4.2.5
OS / version: RedHat Enterprise Linux v.6.2
Steps to replicate:
using an app (the 'splunk for f5 (beta)' app (v0.2) in this case), with dashboard views of more than a few charts.
extend time range to more than a small amount (a few days),
splunk runs out of disk space in a very short time period.
Further Diagnosis:
I don't believe this is a problem specific to the app
The app collects data from the indexer, slowly accumulating data in the $SPLUNK_HOME/var/run/splunk/dispatch folder. This process obeys user quotas.
This continues for some time, then when all the data is collected (or the quota is hit), the dashboards / graphs begin to generate
When the 10 dashboard widgets start to populate, splunk starts filling up the 'srtemp' / working directory with calculations.
These are populated in parallel, and grow to be very large (each one takes about 1Gb per day's worth of data being crunched in our case),
so (for example) 10 days of history takes (10days X 1Gb) = 10Gb in under 5 mins.
I believe that this result could be replicated by any dashboard that's intensive enough, so I don't think it's specific to the app - I think that it's a problem with Splunk.
Also, this problem won't really be solved by leaving some amount of overhead, as it will be trivial for a normal user to run the server out of space by doing the following:
Generate a dashboard with an arbitrary amount of charts working off the same dataset
load the dashboard
their dispatch directory will fill up to the quota (e.g. 100M), which helps limit the total size, but the 'srtemp' space will fill up depending on how many charts and how
complex they are.
I've submitted a support case regarding this (86131),
the response has been:
Currently we don't have any parameter for the limitation of the size of srtemp.
The reason is that we don't know how big is the result might be, to
limit the size of temp folder will cause in-complete search result.
I suggest to leave at least 2GB for the temporary usage.
While I appreciate the response,
for our use case it's trivial for the user to fill up the available space, including any amount of reserve (2GB or upwards) by clicking on the wrong time range, which will end up presenting incomplete search results as well as crashing the server...
I've submitted an enhancement request as part of the same case to implement some kind of per-user quota that is applied to working/temporary space,
but I was wondering if anyone else had come across this problem,
and if so,
how they were dealing with it.
Any similar experiences?
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-18-2020
08:33 PM
|
