/opt/splunk/etc/system/default/web.conf startwebserver = 1 UI loaded till yesterday but we have this issues frequently. Not sure what's the issue is. ... View more

this is happening frequently. Sometimes it will load fine sometimes it won't load like now. When I am checking web_service.log, I see these errors  2025-09-16 13:03:58,859 ERROR [68c960398b7f172e20e210] util:598 - unable to parse embed_uri as URL: Invalid entry for setting : embed_uri 2025-09-16 13:03:58,859 INFO [68c960398b7f172e20e210] root:355 - Proxied mode ip_address=127.0.0.1 port=8065 exposed_port=8443: 2025-09-16 13:03:58,963 INFO [68c960398b7f172e20e210] root:619 - overriding JSON MIME type with 'text/plain; charset=UTF-8' 2025-09-16 13:03:58,971 ERROR [68c960398b7f172e20e210] startup:116 - Unable to read in product version information; isSessionKeyDefined=False error=[HTTP 401] Client is not authenticated ... View more

I am running this in bin and no results is coming. ... View more

yes initially they are key value pairs and we are changing it in Splunk to JSON format. Please help me with the logic accordingly to mask password values. ... View more

remove the match value field (which contains passwrod values) completely not complete events -  This is raw data of it  "matches":[{"match_element":"ARGS:password","match_value":"SmFUYWlfZUJhZTc%253D","is_internal":false}] So is it better to do this - "matches":[{"match_element":"ARGS:password","match_value":"MASKED","is_internal":false}] or this - "matches":[{"match_element":"ARGS:password","is_internal":false}] At the end this operation shouldn't impact JSON format.   ... View more

and what if one event has multiple match element values ("ARGS:password") then it should mask all the corresponding passwords as well. Need to write logic in such a way. ... View more

This data is just key value pairs coming from source end. I have given kv_mode=Json which is converting them to Json readable format. ... View more

@livehybrid @PickleRick  what will be the best way to do it? Remove or Mask? User is fine with both. but what will be the best approach? and please help me with final props and transforms? I can see two above and confused. ... View more

What performance issues can I get? Please let me know The logs which contain match element field value as "ARGS:password", then match value will be password everytime and that should be masked or removed. For rest match element field values, no need to mask anything. ... View more

Already using one ingest eval to this sourcetype to route logs to specific indexes. Can we use one more ingest eval here? Will it override that or independent? ... View more

Why can't I give srchFilter as the role index by default? What will be the drawback for this? For prod roles I need to mention summary index condition as well with their restricted service... How @splunklearner told.. exactly the same way.. Below is the role created for non-prod   [role_abc]   srchIndexesAllowed = non_prod   srchIndexesDefault = non_prod   srchFilter = (index=non_prod)   Below is the role created for prod   [role_xyz]   srchIndexesAllowed = prod;opco_summary   srchIndexesDefault = prod   srchFilter = (index=prod) OR (index=opco_summary AND (service=juniper-prod OR service=juniper-cont))) ... View more

Is there any way that I can get rid of double quotes? And one more thing I noticed, if user has access to 10 roles (10 indexes) and we have applied srchFilter to 6 roles, then if they are searching with other 3 indexes (which are not there in srchFilter), he is not seeing any results. It means, if I use srchFilter by default I need to include it's index name in srchFilter? srchFilter is getting added for all the roles with OR... ... View more

But when I am trying to use TERM for service field, values are not returning. Service field is still there in my raw summary event. Not sure what went wrong (index=prod) OR (index=opco_summary AND (TERM(service=JUNIPER-PROD))   Even checked only with summary index and term with service not working This is my raw data for summary index -- I have extracted service from original index and given |eval service = service and then collected in summary index... 07/31/2025 04:59:56 +0000, search_name="decode query", search now 1753938000.000, info min_time=1753937100.000, info_max_time=1753938000. info_search_time=1753938000.515, uri="/wasinfkeepalive.jsp", fqdn-"p3bmm-eu.systems.uk.many-44", service="JUNIPER-PROD", vs_name="tenant/juniper/services/jsp" XXXXXX   ... View more

Thanks will this be more secure than before?  ... View more

@richgalloway This is one of the reason I am afraid of creating dedicated summary indexes again ... View more

@PickleRick ok got it. So the secure one will be creating seperate index for application wise. But we have nearly 500 indexes to come in overall scope and as of now we have created 100+ indexes which means 50 apps (non-prod and prod 2 indexes per app).. if I create summary indexes for these it would be more indexes again. Ideally how many indexes should be there in an environment? However we are using volumes and smartstore as well. Is it very difficult to manage these indexes in future? ... View more

@PickleRick will this work for me? What @splunklearner given...  ... View more

@PickleRick sir what can I do now? I am breaking my head. Is there no option left other than creating seperate summary index per app? If yes, can I ingest the respective summary index to same app index (appA index -- opco_appA summary index also opco_appA?  ... View more

@PickleRick then if I do service as a indexed field.. will it solve my problem or is there any chance that this can be violated at some point?  ... View more

cat props.conf [opco_sony] TIME_PREFIX = ^ MAX_TIMESTAMP_LOOKAHEAD = 25 TIME_FORMAT = %b %d %H:%M:%S SEDCMD-newline_remove = s/\\r\\n/\n/g LINE_BREAKER = ([\r\n]+)[A-Z][a-z]{2}\s+\d{1,2}\s\d{2}:\d{2}:\d{2}\s SHOULD_LINEMERGE = False TRUNCATE = 10000   # Leaving PUNCT enabled can impact indexing performance. Customers can # comment this line if they need to use PUNCT (e.g. security use cases) ANNOTATE_PUNCT = false   TRANSFORMS-0_fix_hostname = syslog-host TRANSFORMS-1_extract_fqdn = f5_waf-extract_service TRANSFORMS-2_fix_index = f5_waf-route_to_index   cat transforms.conf   # FIELD EXTRACTION USING A REGEX [f5_waf-extract_service] SOURCE_KEY = _raw REGEX = Host:\s(.+)\n FORMAT = service::$1 WRITE_META = true   # Routes the data to a different index-- This must be listed in a TRANSFORMS-<name> entry. [f5_waf-route_to_index] INGEST_EVAL = indexname=json_extract(lookup("service_indexname_mapping.csv", json_object("service", service), json_array("indexname")), "indexname"), index=if(isnotnull(indexname), if(isnotnull(index) and match(index, "_cont$"),  index, indexname), index), service:=null(), indexname:=null()   cat service_indexname_mapping.csv   service,indexname juniper-prod,opco_juniper_prod juniper-non-prod,opco_juniper_non_prod   This is the backend query to route logs from global index to seperate indexes through service name. How to make this service field as indexed field? ... View more

@PickleRick ok and how this will be applicable in my case? If I restrict them based on service for summary index, even if he give |stats count by service he cannot see other's services data right? What else can he do here?  ... View more

Ok hence I given = for service and index. Hope it will work. Stanzas I have given will it work as expected or srchFilter has any behaviour that can't be defined? ... View more