Hello, I would like to create a compliance user by allowing read only access to all knowledge objects and dashboards in our Splunk environment. I have allowed read permissions on all apps to that specific role however, me as admin role can view almost double the amount of Alerts, Reports and Dashboards as the compliance role. What could be the cause here? and what could I be missing? Do I need to edit every single knowledge object and dashboard to allow permission for said role? Is there an easier method of doing this if so? Thanks, Regards, ... View more

Hello, As the title suggests, is there a way to do this in TrackMe with a single Tenant or is this feature only available for subscription? Also, What are other best free alternatives to TrackMe. Thank you, Best Regards, ... View more

Hello Splunkers, I have a search created below to only detect local ip intel specified manually by the user: | tstats min(_time) as firstSeen max(_time) as lastSeen count from datamodel="Threat_Intelligence"."Threat_Activity" where Threat_Activity.threat_key=local_ip_intel by Threat_Activity.weight Threat_Activity.threat_match_value Threat_Activity.threat_match_field Threat_Activity.src Threat_Activity.dest Threat_Activity.orig_sourcetype Threat_Activity.threat_collection Threat_Activity.threat_collection_key | rename Threat_Activity.* as * | join type=left threat_match_value [| inputlookup local_ip_intel.csv | rename ip as threat_match_value description as desc | fields threat_match_value desc] My goal here is to specify a description next to each local ip threat match to ease up the analysis and specify a reason as to why the intel was inserted there in the first place. The search works properly and when sourcetypes are searched the results do actually show up where they match the local ip intel, however it shows more than what was specified in the local ip list which it is seen trying to match ip's that are not even in the list and so no description can be joined in the result. PS: The SubSearch does show me all the correct IPs I have manually added Would appreciate anyone showing me where I am actually going wrong. ... View more

I have recently realized certain data models of indexes are occupying alot of disk size and have lowered the Summary Range of related Data Model from 3 months to 1 month. Currently in this scenario I have not seen a drop in the Disk Size usage in the Data Model screen, do I need to Rebuild and Update the acceleration? If so in which order and are there any performance or other risks involved in doing so? Thanks, Regards, ... View more

Greetings, I have recently added a new Calculated Field to a Data Model by stopping the accelerated Data Model, and inputting the following Eval Calculated field on the bottom of the table as follows: After accelerating the Data Model again, all the related dest field values even though they were included in the CIM index now appear as "unknown" and the field now does not even show up on the original index that was first feeded on to the Data Model. I am currently baffled as to why this would even interfere with the original index parsing let alone showing up as unknown in the data model aswell. Thanks, Regards, ... View more