Hello, if we have on DS "app/local" with conf files, is that possible restarting it that it pushes DS "app/local" to HF "app/local" and deletes custom local conf files on HF (created from HF GUI)? Thanks.
... View more
Hi @gcusello did you get answer from @woodcock regarding applying on all etc/system/local/authorize.conf search head nodes (preferably from GUI if possible) ? Thanks.
... View more
Hello @meetmshah how do you add custom ES roles on Permissions page? In data/inputs/app_permissions_manager "Action is not available" "Current instance is running SHC" There is only ess_analyst and ess_user Thanks.
... View more
Hello, does editing ES roles on Permissions page is same as editing ES roles in Splunk's native edit role page? I guess they both point to ES authorize.conf but native's one can work with custom roles? Thanks.
... View more
Hi @power12 you could try using the API : https://community.splunk.com/t5/Splunk-Search/How-to-change-sharing-and-permissions-for-a-lookup-table-using/m-p/163257
... View more
Hello @asimsk84 welcome! depending on your retention policy on indexes.conf old buckets won't be frozen and will be deleted : https://community.splunk.com/t5/Getting-Data-In/Do-I-need-to-define-coldToFrozenDir-in-indexes-conf-to-move-old/m-p/247162 Doc : https://docs.splunk.com/Documentation/Splunk/9.2.0/Admin/Indexesconf%20%22coldToFrozenDir%22 You should not delete any file yourself, leave Splunk manage.
... View more
Hi @DanAlexander , looks like this is not supported at the moment : https://docs.splunk.com/Documentation/AddonBuilder/4.1.4/UserGuide/Installation "Add-on Builder is not supported in a search head cluster or index cluster environment." You can upvote this idea : https://ideas.splunk.com/ideas/APPSID-I-843
... View more
Hello, I would like to know the aim of this default constraint : (`cim_Authentication_indexes`) tag=authentication NOT (action=success user=*$) action="success" Especially what does it try to match with user=*$ ? User accounts ending with $ symbol like in Windows? Thanks.
... View more
We are using /api base url, is that correct for .splunkrc as it asks for host and in our environment we use url?
thanks for your help!
.splunkrc
# Splunk host (default: localhost)
host=splunkurl/api
# Splunk admin port (default: 8089)
port=443
# Splunk username
username=
# Splunk password
password=
# Access scheme (default: https)
scheme=https
# Your version of Splunk (default: 6.3)
version=9.0.4
... View more
Hello @WanLohnston you can try something like this : | timechart span=1d count(myfield) as nb_myfield | eventstats min(myfield) as min_fields max(myfield) as max_fields avg(myfield) as moy_fields
... View more
Seems tcp_kprocessed is total transferred data and kb the volume indexed for that particular event. You may submit support ticket for further information as this doesn't look documented.
... View more