Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Find Answers
- :
- About jonaclough
jonaclough
Path Finder
Member since:
11-09-2018
a month ago
Community Statistics
| Posts | 33 |
| Solutions | 0 |
| Karma Given | 8 |
| Karma Received | 2 |
| Member Since | 11-09-2018 |
Activity Feed
- Posted Re: How can I determine who modified a dashboard? on Dashboards & Visualizations. a month ago
- Posted Re: How to check who has updated a lookup on Splunk Search. 09-03-2024 11:12 PM
- Karma Re: How to check who has updated a lookup for thx. 09-03-2024 11:06 PM
- Posted Re: How to check who has updated a lookup on Splunk Search. 09-03-2024 02:17 AM
- Posted Re: What happens to knowledge objects once the owner user is deleted? on Knowledge Management. 06-14-2024 01:02 AM
- Posted Re: Detecting when subsearch limits are exceeded by scheduled searches on Reporting. 10-24-2023 05:15 AM
- Posted Re: Detecting when subsearch limits are exceeded by scheduled searches on Reporting. 10-24-2023 04:56 AM
- Posted Detecting when subsearch limits are exceeded by scheduled searches on Reporting. 10-19-2023 06:54 AM
- Posted Re: Report failed schedule report on Reporting. 10-19-2023 06:48 AM
- Karma Re: capability required to view all indexes for gcusello. 02-20-2023 02:01 AM
- Posted Re: capability required to view all indexes on Getting Data In. 02-20-2023 01:14 AM
- Got Karma for Re: Is there a way to configure Splunk to make scheduled searches having a higher priority than ad-hoc searches?. 02-17-2023 09:36 AM
- Posted Re: Is there a way to configure Splunk to make scheduled searches having a higher priority than ad-hoc searches? on Splunk Enterprise. 02-17-2023 06:53 AM
- Posted Re: capability required to view all indexes on Getting Data In. 02-17-2023 06:41 AM
- Posted Re: Moving to cloud: Splunk Enterprise to Azure or AWS vs Splunk Cloud on Splunk Enterprise. 01-25-2023 05:48 AM
- Posted Re: How can we limit the tstats record? on Splunk Search. 01-20-2023 02:28 AM
- Posted On-Prem and Cloud Hybrid Architecture on Deployment Architecture. 01-20-2023 12:25 AM
- Tagged On-Prem and Cloud Hybrid Architecture on Deployment Architecture. 01-20-2023 12:25 AM
- Posted Federated Search Questions- Authentication option and Indexers? on Splunk Search. 01-18-2023 12:04 AM
- Tagged Federated Search Questions- Authentication option and Indexers? on Splunk Search. 01-18-2023 12:04 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
a month ago
I tried the suggestions above. The SPL against the _internal index doesn't show modifications to dashboards. The SPL against the _audit index does but it shows a numeric ID for the user which I believe to be unrelated to the actual user. I say this as because this same ID is responsible for 99% of action=modify events across the platform. So I would presume it to be the splunk system user.
... View more
09-03-2024
11:12 PM
This does work, in general. However for a specific time when we know the lookup was edited I can see no results. The use case is that a user added billions of events to a file lookup which broke SH replication. I want to find out which user. I can see the lookup update action in the _audit index but the user is "n/a". I cannot find any corresponding searches with outputlookup nor any entries using the query against the _internal index.
... View more
09-03-2024
02:17 AM
I also have a lookup which is being updated but the user is n/a. It's a csv lookup. I cannot find any relevant occurrences of outputlooup before the update event. What other ways than using outputlookup could there be which resulted in the lookup being updated?
... View more
06-14-2024
01:02 AM
Could this contribute to the slow performance when search for Knowledge Objects in our deployment? We have over 2000 user directories in $SPLUNK_HOME/etc/users on our SHs, representing every user who ever existed since we started with Splunk. When we run Settings -> Searches, Report and Alerts it can take over a minute to find a search.
... View more
10-24-2023
05:15 AM
Additional info: you can see the limit being hit from the job inspector:
... View more
10-24-2023
04:56 AM
Thanks for pointing me to this excellent log source! I created a search which is intended to exceed the subsearch maxout limit: index=main [search index=main earliest=-1w | fields host | head 11000 | format] (I checked the subsearch is over 11000 records) This doesn't trigger an error or warning in _audit, _internal or from the GUI From the limits.conf documentation I see this setting: maxout = <integer>
* Maximum number of results to return from a subsearch.
* This value cannot be greater than or equal to 10500.
* Default: 10000 So would expect my search to exceed the limit. I'm now confused as to whether I'm misinterpreted something.
... View more
10-19-2023
06:54 AM
Is there a way to detect subsearch limits being exceeded in scheduled searches I notice that you can get this info from REST: | rest splunk_server=local /servicesNS/$user$/$app$/search/jobs/$search_id$
| where isnotnull('messages.error')
| fields id savedsearch_name, app, user, executed_at, search, messages.* And you can kinda join this to the _audit query: index=_audit action=search (has_error_warn=true OR fully_completed_search=false OR info="bad_request")
| eval savedsearch_name = if(savedsearch_name="", "Ad-hoc", savedsearch_name)
| eval search_id = trim(search_id, "'")
| eval search = mvindex(search, 0)
| map search="| rest splunk_server=local /servicesNS/$user$/$app$/search/jobs/$search_id$
| where isnotnull('messages.error')
| fields id savedsearch_name, app, user, executed_at, search, messages.*" But it doesn't really work - I get lots of rest failures reported and the output is bad. You also need to run it when the search artifacts are present. Although my plan was to run this frequently and push the result to a summary index. Has anyone had better success with this? One thought would be to ingest the data that is returned by the rest call (I presume var/run/dispatch). Or might debug level logging help?
... View more
Labels
- Labels:
-
scheduled search
10-19-2023
06:48 AM
Scheduled report: index=_internal source="*scheduler.log" log_level=ERROR
| eval user=mvindex(split(savedsearch_id, ";"), 0)
| eval app=mvindex(split(savedsearch_id, ";"), 1)
| eval search=mvindex(split(savedsearch_id, ";"), 2)
| stats count by user, app , search, message Failed search: index=_audit action=search has_error_warn=true fully_completed_search=false
... View more
02-20-2023
01:14 AM
I can't believe I never noticed that option! We create indexes weekly so this will be very useful 🙂
... View more
02-17-2023
06:53 AM
1 Karma
You can set limits on the relative number of ad-hoc vs scheduled searches that can run on a SH: https://docs.splunk.com/Documentation/Splunk/9.0.4/admin/Limitsconf The setting max_searches_perc is worth investigating. This will give more room for the scheduled searches to operate. You could also have SHs dedicated to scheduled searches
... View more
02-17-2023
06:41 AM
My use-case is that I want to create a role which has access to all indexes. However I don't to have to be updating this role every time a new index is onboarded. And I don't want to overprovision users with admin access. Is this possible? We're on-prem 8.2.2
... View more
01-25-2023
05:48 AM
I'd love to hear about how you got on with the architecture. Have you migrated already? We have similar considerations.
... View more
01-20-2023
02:28 AM
If you want to filter by column try something like this | tstats allow_old_summaries=t summariesonly=t
count min(_time) as first_time max(_time) as last_time
from datamodel=Network_Traffic
where All_Traffic.action="allowed"
by All_Traffic.dvc All_Traffic.rule All_Traffic.src_ip All_Traffic.dest All_Traffic.dest_port All_Traffic.action All_Traffic.transport
| rename All_Traffic.* as *
| sort 0 - last_time
| convert ctime(first_time) ctime(last_time)
| fields dvc rule src_ip dest dest_port transport count first_time last_time action
... View more
01-20-2023
12:25 AM
We have an on-prem Splunk deployment with 50TB/day ingest, 22PB storage, long term retention (1 year on most indexes). We use Kafka as primary ingest method. We collect cloud logs in Azure using EventHub and Kinesis in AWS. We then use Kafka MirrorMaker to bring cloud logs into on-prem Kafka. The volume ratio is currently 95% on-prem vs 5% cloud logs by volume. Inevitably this ratio will change in favor of cloud logs. And the cost to bring cloud logs on-prem will rise. For Azure alone we estimate Microsoft charge $15k/month for 5TB/day data egress. And of course the size of our cloud pipe is an issue. Therefore we are considering an architecture which will avoid backhauling cloud logs. Our stakeholders have made it clear they want a seamless experience - no logging into multiple platforms. Is your organization in a similar position to this or have you overcome this problem?
... View more
- Tags:
- Hybrid
Labels
- Labels:
-
indexer clustering
01-18-2023
12:04 AM
Regarding Federated search:
Is the only authentication option username and password? We use SSO on the remote search head (LDAP/Reverse Proxy) which would be preferable.
Why do you need to explicitly define each remote index on the FSH? Why don’t Splunk allow you to enable all indexes and save the effort of having the maintain the list
... View more
- Tags:
- Federated Search
Labels
- Labels:
-
other
05-03-2022
03:23 AM
If admission rules had an extra rule action option "issue warning" rather than just "filter search" that would do the job.
... View more
05-03-2022
01:47 AM
Is there a way of showing a warning to the user based on their SPL.
My use case is that users should not generally search indexes which are fed into an accelerated data model. Specifically it's faster and more accurate to search the network_traffic ADM than a firewall index.
... View more
Labels
- Labels:
-
other
10-27-2021
06:42 AM
https://docs.splunk.com/Documentation/DashApp/0.9.0/DashApp/chartsImage
When you upload an image, it is stored in the KV store. Because of this, only Enterprise admins, Cloud sc_admins, and power users can upload or delete images. If you don't have the correct role assigned to upload images, you can ask someone with the correct role to add it for you
Is there some permission I can assign to users to allow them to upload images without asking an admin/power user?
... View more
Labels
- Labels:
-
other
10-20-2021
11:01 PM
Admission rules are cool but it would be great to know which ones people are using. It would also be great if the platform had a set of known bad SPL which could be toggled on. Here's a couple of obvious ones we've started with: Prevent users searching all indexes: search_type=adhoc AND index=* Prevent users using all time searches: search_type=adhoc AND search_time_range=alltime
... View more
Labels
- Labels:
-
other
10-20-2021
10:37 PM
Link is now broken
... View more
09-14-2021
11:51 PM
Our Splunk deployment is on-prem and we have automated deployment based on app updates. Users create a PR, make updates and push to bitbucket. Automated tests are done and if everything is OK the changes are in production in the hour. We are considering the move to Splunk Cloud but are worried about the manual app vetting process. That process seems cumbersome and might mean that the 5-10 changes across multiple apps we have each week will form an endless backlog. How are you finding the app vetting process? Is it working OK or are you finding it painful? This is a question aimed at large corporates who have moved from on-prem or BYOL to Splunk cloud.
... View more
Labels
- Labels:
-
configuration
09-14-2021
11:39 PM
The internal metrics logs has information on tcp in and out. This is useful to see the traffic profile between Splunk tiers. We planning our migration to the cloud and this will help with sizing the cloud pipe. Has anyone created dashboards with this information they could share with us?
... View more
Labels
- Labels:
-
monitoring console
09-06-2021
04:08 AM
We currently operate on-prem and are considering moving to Splunk Cloud. A potential blocker is the manual process required to deploy apps in Splunk Cloud. Currently we have a fully automated SDLC pipeline. We have multiple teams who make changes across multiple apps, currently with a weekly deployment cycle but we are about to move to fully automated deployments. We are informed that we would need to replace this process - where each app would need to be manually assessed and there would be up to two days delay. I'm interesting in other large customers' experience in this respect. Did you need to change your deployment mechanisms/processes when moving to the cloud? Is it cumbersome? Did you find workarounds?
... View more
Labels
- Labels:
-
other
04-07-2021
08:05 AM
1 Karma
That's a link to DSP which is not relevant. Identity and Asset lookups are not going to work either as users do not own hosts. I'm not sure if you are trying to grab Karma for your own purposes but your response is in no way relevant or helpful.
... View more
04-07-2021
06:23 AM
We need to add users to our (unauthenticated) internal proxy logs. Currently the proxy logs only identity the initiator by IP address. We have DHCP and/or windows desktop logs to link the IP to a hostname. We have windows logon events which contain the hostname and user fields. Multiple users are able to log onto certain hosts and indeed might be logged on at the same time (using fast user switching). Has anyone any advice on how to solve this problem at scale (30 million events/hour)
... View more
Labels
- Labels:
-
join
