Hi Team, Wanted to check if any of you have used LDAP only for Authentication and then handled the roles using splunk internal roles management. Documentation suggests we could do this by doing a config which tricks LDAP to treat each user as LDAP group. http://docs.splunk.com/Documentation/Splunk/6.1.3/Security/MapLDAPgroupsanduserstoSplunkroles#Map_users_directly_to_roles IF you have implemented pls share details, pros and cons if any. Also , in such imlementation, once the user is deleted in LDAP , then we would have to take care of removing the roles mapped to this deleted user on the splunk end right? If you could share insights on this. ... View more

Hi Team, In my implementation splunk is integrated with LDAP authentication, users who left the organizations will be removed from the LDAP group as part of exit process form is submitted to LDAP group. question is how do we get to know of that exited user in splunk so that we can do the clean up on splunk end(backing up/re-assigning/deleting his users directory) , especially those users who did not have any splunk artifacts (i.e. they were just looking up dashboards etc hence will not be listed as part of orphaned searches or objects). Looking forward to you inputs. Thank you! ... View more

Hi Team, We have a cluster which has multiple apps under it. I am working on boarding the apps logs onto splunk. So far we have been using individual apps which had their own serverclass.conf and inputs.conf.dist,index and role and we built it that way since now we are consolidating all the apps in a cluster to utilize same index and roles but have different hosts/inputs . Question - How can i have hosts and inputs of the 2 apps[ hosts n inputs are completely different] specified in single serverclass.conf and inputs.conf.dist? does it have to be different stanzas or something along those lines? Probably I can whitelist all hosts under serverclass.conf and all inputs in inputs.conf.dist and they get pushed out such that all the hosts [app1 & app2] will have all the configs [app1+app2], but this does not look efficient and I believe there is a better way to do it. In our splunk environment deployment is automated i.e. by deployment server, separate deployers for search head cluster and indexer cluster. Any guidance is appreciated, thanks in advance. Please let me know if more details are needed. App1 host1-app1.com host2-app1.com /app/services/weblog.log /app/services/weberror.log App2 host1-app2.com host2-app2.com /app/dyn/system.log /app/dyn/systemerror.log ... View more

Hi Team, Can we have same field extraction for the same sourcetype in 2 different apps? If I already have a Field Extraction based on sourcetype when I try to create another field extraction under different app from the Web GUI for the same pattern in the log I cannot do it. I understand field extractions seem to be at sourcetype level hence we might not be able to. The challenge that I am having is that I have 2 dashboards which are in 2 different apps, I had created the field extraction in one app, it is shared at "app" level. Now in the other app also I need the same extraction and it is not available. I do not have the permission to make the existing field extraction global hence I was thinking of creating another extraction in the same app. Other than making it global is there any other option? Thanks! ... View more

enter code here Hi Team, We have an application platform which is gateway for multiple applications[1000+ apps], we have ingested platform logs in splunk. Platform team wants to setup alerts for each of the applications if the number of HTTP 500 requests breaches the threshold say 5% of the total requests for that app. Alert schedule is every 5 mins. Alert should be sent to corresponding app team as there are more than 1000+ apps, platform team cannot handle. I am using the top command with limit=0 , this is giving the total events across all the applications in last 5 mins but i want to be able treat the count of specific application as 100 and then calculate the 500 requests % and check if the threshold is violated. my current query index=abc | top HttpStatus app limit=0 This is how my current query data looks like , App1+App2 adds up to 100% HttpStatus app count percent 400 App1 30 0.091609 200 App1 15 0.045804 500 App1 6 0.018322 200 App2 3813 11.643459 400 App2 2 0.006107 500 App2 28882 88.194699 This is how i want the output to be able to trigger at app level. app1 breakup sums up to 100%,likewise App2 breakup sums up to 100%. Then i can link it to lookup and check if the 500 requests have exceeded the threshold % and then trigger the alert. HttpStatus app count percent 400 App1 30 58.82352941 200 App1 15 29.41176471 500 App1 6 11.76470588 200 App2 3813 11.66162033 400 App2 2 0.006116769 500 App2 28882 88.3322629 I want to use single consolidated alert which can trigger for each applications threshold violation[i plan to use lookup for thresholds] as we do not want to set up 1000 odd individual alerts specific to application Can you share your thoughts if there is a way to achieve this or something similar. Thanks! ... View more