I have to deploy the Cisco ACI Add-on for Splunk Enterprise on a heavy forwarder without web interface. How can I configure it with the configuration files, the Readme mentions only the web interface. ... View more

Is it possible to use SAML, LDAP and Splunk authentication at the same time? If yes, which is the order of the authentication methods tried? ... View more

We are running heavy forwarders to accept events from a number of universal forwarders, do some transforms and filtering with props and transforms, and then send them to our indexers. We'd like to use the forwarder license on them, so we don't have to enable a connection to our license master. What capabilities are enabled with this license? Or more specific, are the functions of the parsing, merging and typing pipelines, according to HowIndexingWorks, available with the forwarding license? ... View more

We often have events in an index for several customers, but each customer should not see the whole index. I'm looking for a mechanism like the s-bit on traditional Linux systems. E.g. a search, which is called from an origin search, which enforces some filtering rules based on the user running the origin search. Search Term Restrictions are not flexible enough. Another option which comes into my mind is to implement a custom command in Python which searches via the REST API call and enforces the rules. Are there any other smart ideas out there? ... View more

How can a search head and an indexer cluster be merged after the cluster has been run intentionally in a split brain setup for some time. e.g. the connections between two locations of a multi site cluster is broken and a captain has been assigned manualy to the second site. ... View more

I get this error messages for rather simple regexep 10-11-2018 07:48:27.818 +0200 ERROR Regex - Failed in pcre_exec: Error PCRE_ERROR_MATCHLIMIT for regex: (\S+\s+\S+\s+\S+)\s+(?\S+).\ss=(?\S+)\s.+\sx=(?\S+)\s+mod=(?\S+)\s+(?cmd=(env_from|data|msg).) 10-11-2018 07:48:27.818 +0200 ERROR regexExtractionProcessor - Regex for stanza SDCS-liveclone-firmenich-ls_reformat01 exceeded configured PCRE match limit. Consider raising the MATCH_LIMIT for the regex in props.conf The transforms which contains this regexp is [SDCS-liveclone-xxxxxxxx-ls_reformat01] SOURCE_KEY = _raw (env_from|data|msg).*) REGEX = (\S+\s+\S+\s+\S+)\s+(?<host>\S+).*\ss=(\S+)\s.+\sx=(?\S+)\s+mod=(\S+)\s+(cmd=(env_from|data|msg).*) DEST_KEY=_raw FORMAT=$1 transaction_id=$2_$4 server=$2 session_id1=$3 session_id2=$4 mod=$5 $6 The match limit is 10'000 and the regexp is rather simple so i don't see a reason for this error. ... View more

We have an app which is deployed for different user groups which are distinguished by different roles which gives them access to their indexes. The searches use an asterisk in the index specification so each user gets the data from the index to which he gets access based on his role. We need the same functionality for lookups, e.g. lookuptable_a (belongs role a) lookuptable_b (belongs role b) spl: index=* | lookup lookuptable_* ... Depending on the users role either lookuptable_a or lookuptable_b should be used, but wild-carding of lookup-table-name is not supported ... View more

We'd like to change the default app for a group of users with a given role as we replace an app and will phase out and delete the old app in the future. I tried to figure out how the default app is determined and assume: The first time the user logs in, his/her default app is determined and stored in the users own user-prefs, SPLUNK_HOME/etc/users//user-prefs/local/user-prefs.conf. A LDAP user has an empty default app (something else may be defined in SPLUNK_HOME/etc/apps/local/user-prefs.conf , but only one for all users), so a default app from the assigned roles is taken. A local user gets the launcher as default app upon first login. If more than one assigned role defines a default app, to outcome seems to be undefined. If the user has no permission on the app defined in the user.prefs, a page with the list of all available apps to which the user has access will be displayed. A user may change the own default app in the preferences any time. Are this assumptions correct, I did not find anything in the documentation. So changing the default app for the role will probably only affect new users. If we will remove the old App in the future, these user will get the list of all app to which they have access. this is something we try to avoid for various reasons. ... View more

Has anyone real world experience on the difference in the load on a search head if a real time search is executed as Indexed real-time search. Of course the number of possible parallel searchess should increase, but how much load do this searches generate. ... View more

We are developing an app with dashboards which are only shown if the current user has certain Splunk roles, this roles also grant access to the specific indexes. The developers have all this roles, but in order to see the app as a user with a certain role would see it, they need to be able to temporarily drop some roles they own. Any idea except creating test users? BTW, the developers don't get the admin role 😉 ... View more