WARN AdminHandler:AuthenticationHandler - Denied session token for user: splunk-system-user

January 14, 2013, 10:47 am

I'm getting this warning on my search peers. After some digging around (and trying this on some brand spanking new setups) I found out it has something to do with Splunk calling services/admin/auth-keys and not getting an appropriate response back. But I'm still baffled why, at first I thought I misconfigured something but after doing a test setup with just one search head and one search peer I get the same issue. This makes me doubt if this is "working as intended" or something else..

Any ideas anyone?

↧

User Controls

January 22, 2013, 4:18 am

≫ Next: Session information (USER ID)

≪ Previous: WARN AdminHandler:AuthenticationHandler - Denied session token for user: splunk-system-user

I created a dashboard. Two different users will be accessing this dashboard - Admin & User I need admin alone to use drilldown functionality not the user.

How can i configure this ?

↧

Session information (USER ID)

January 22, 2013, 4:55 am

≫ Next: Can i give user defiened text to the pie grahps ?

≪ Previous: User Controls

I want to have user login information from Splunk.(Session information)

USER ID, any piece of information, good!

I would like to know if there is a way.

Want to use the information that is obtained from the dashboard.

↧

Can i give user defiened text to the pie grahps ?

January 23, 2013, 4:05 am

≫ Next: What needs to be done when ldap user is deactivated?

≪ Previous: Session information (USER ID)

Hi .

I have plotted a pie graph say with the values NOT,SOT,...Now i need to expand these values right side of the pie graph .so that it makes sense for the user wat is NOT etc..

Some thing like .

NOT - Notification

I need to add this text beside the pie graph . is it possible in splunk ?? i tried writing the text in HTML module but it didnt wokrked ? can you pls help ,

↧

What needs to be done when ldap user is deactivated?

February 4, 2013, 7:51 pm

≫ Next: Track users journeys through an app and map out the pages they view

≪ Previous: Can i give user defiened text to the pie grahps ?

If we have an ldap user that is deactivated, what happens to all of his scheduled searches and other user content like views, tags, field extractions?

Has someone come up with steps or a script to migrate all content for a disabled user to another user?

↧

Track users journeys through an app and map out the pages they view

February 9, 2013, 7:45 am

≫ Next: Splunk User Activity

≪ Previous: What needs to be done when ldap user is deactivated?

So I have a bespoke Java app running in tomcat logging out different events which correlate to different sections on the app. Each different page is logged into a different log file so I have multiple sources all under one sourcetype. There is a key value pair field called 'user' on every line which represents the logged in users email address.

I'm able to isolate an event in each source which shows the user has visited that page in the app.

I want to be able to create a report and/or visualisation that can show the order in which the users moved around the app at a high level as a Proof of Concept. I need to be able to visualize multiple users and variations in the journey as its non-linear.

This is a rough version of my query atm.

index=prod user=foo@user.com NOT message="cache"

| dedup _raw,host,_time | transaction source maxspan=1m | rex field=source "/var/log/tomcat/(?<page>.*).txt"

| table _time,user,page | chart count(user) over _time by page | chart count(userjounrney) over _time by page

Any ideas on how we could visualize this in a way it shows the progression of the pages that a specific user hit at what time?

UPDATE:

I've tried adding this to the end of the search and it visualizes the pages BUT not showing the order or time at which users visited them

| eval Page = if(page="acs","ACS",if(page="home","Home",if(page="my-bills","My-Bills",if(page="ebill","eBill",if(page="direct-debit","Direct-Debit",if(page="my-apps","My-Apps",if(page="my-profile","My-Profile",if(page="createprofile","Create-Profile",if(page="my-offers","My-Offers",if(page="faults","Service-Status",if(page="trackorder","Track Order",0))))))))))) | chart count over Page by user usenull=f useother=f

↧

Splunk User Activity

February 27, 2013, 1:15 pm

≫ Next: User settings reset after running a saved search

≪ Previous: Track users journeys through an app and map out the pages they view

I am trying to setup a dashboard to show how much time each user spent using Splunk each week.

Anyone got any suggestions how I can track user activity time in spunk _Internal or _Audit indexes.

↧

User settings reset after running a saved search

March 1, 2013, 12:37 pm

≫ Next: Can a user (non admin) save a global search

≪ Previous: Splunk User Activity

I'm running in to an issue where after running a search which the users set their preference for lines per event, results per page, and search time, they'll run a saved search and all of the setting changes they made all revert back to what they were prior to making changes (in this case 10 lines per event, x results per page, and the time defaults to ALL TIME). Is there anyway to make the users options persist?

↧

Can a user (non admin) save a global search

April 4, 2013, 4:46 pm

≫ Next: Installing rpm as different user and not creating splunk user

≪ Previous: User settings reset after running a saved search

Normally, only an admin can save a global search. However, is it possible for a user to save a "non private" search without the actions of an admin. I know that a user can save a search and the admin can make it global, but I would like it to become global immediately. I am assuming this may be done by adding an additional capability to the role "user". If not, I do not mind making a new role for everyone. This new role would be a normal user with the added ability to save searches,

Even better, is it possible for a user to save a search that only his "group" has access to? Maybe have a special role where a user (not an admin) can save a search and everyone in that role can view it?

↧

Installing rpm as different user and not creating splunk user

April 11, 2013, 7:54 am

≫ Next: splunk user/ group and ftp issue

≪ Previous: Can a user (non admin) save a global search

Is it possible to install the universal forwarder rpm as a different user and not have the rpm create the "splunk" user?

↧

splunk user/ group and ftp issue

April 24, 2013, 5:43 am

≫ Next: How does Splunk manage LDAP or AD user-created objects if the user is no longer active?

≪ Previous: Installing rpm as different user and not creating splunk user

Hi,

I have an instance of splunk installed on a remote unix server. Splunk run with user "splunk" which is in group "admin".

When I edit an xml view, and save it from the splunkweb interface, the permissions to the file are set to:

-rw------- 1 splunk splunk  5398 2013-04-24 14:34 MyEditedXMLView

which is quite inconvenient, as I have also a sftp service on this server, and develop js/ xml in local, and then "commit" the changes on the server, using a user which is also in the admin group.

I would like splunk to write the file with rw-rw---- splunk admin

so I can access it and modify it using my sftp service.

Is it intentional? Is there a way to get around this?

Guilhem

↧

How does Splunk manage LDAP or AD user-created objects if the user is no longer active?

January 4, 2013, 3:07 pm

≫ Next: Limit user to his data only

≪ Previous: splunk user/ group and ftp issue

I've got some users who are no longer around in my Splunk instance and I want to remove the user created objects. Is there a procedure I can follow for this task?

↧

Limit user to his data only

June 6, 2013, 12:59 am

≫ Next: How to get email id from LDAP

≪ Previous: How does Splunk manage LDAP or AD user-created objects if the user is no longer active?

Hello world !

I've a problem on my splunk configuration. I have include an LDAP authentification to Splunk without any trouble and now i want to limit user to their own data. I have a field name "Owner" where in it, i have the username that i want to compare to the username logged. Like if "verrierj" is logged, he must have acces to his data ( where Owner=username ) and not to the data without any concern to him. It is for confidentiality purpose.

If you have any track or solution for me... Cordially.

↧

How to get email id from LDAP

June 12, 2013, 11:38 pm

≫ Next: How can I get admin roles back? Fail: Client is not authorized to perform requested action.

≪ Previous: Limit user to his data only

in the following page, i can see list of users in splunk. /manager/search/authentication/users

I see a field called Email address and we use LDAP authentication. I would like to configure splunk so that i can see user's email id auto populated from AD

my setting in authentication.conf [authentication] authSettings = AD,AD1 authType = LDAP

Anand

↧

How can I get admin roles back? Fail: Client is not authorized to perform requested action.

June 20, 2013, 12:36 am

≫ Next: removing message banners for certain users

≪ Previous: How to get email id from LDAP

Hi Everyone, I am a admin user and admin roles was suddenly, now I unable to change or access to any kind of role. Only admin user is available in the system. Every time following message is displaying: "Fail: Client is not authorized to perform requested action."

Could any one help me out with this.

Thank you in advance

Regards, Harshal

↧

removing message banners for certain users

June 24, 2013, 6:24 am

≫ Next: First Day of Login / Last Day of Login in a month

≪ Previous: How can I get admin roles back? Fail: Client is not authorized to perform requested action.

Is there a way we can remove the banner messages from certain users or at least anyone that isn't an admin?

↧

First Day of Login / Last Day of Login in a month

July 1, 2013, 11:41 pm

≫ Next: All roles are deleted except user. Help!!

≪ Previous: removing message banners for certain users

Here is the scenario:

We want to know the first day of login and the last day of login in a month for a particular user.

Please help me.

↧

All roles are deleted except user. Help!!

July 31, 2013, 12:23 am

≫ Next: Create a User using the PHP SDK

≪ Previous: First Day of Login / Last Day of Login in a month

I did someting by Work with Users and roles.

And then every users and admin are deleted and every roles are deleted except user.

Then I can't change any thing.

When I do some change, alert that Client is not authorized to perform requested action.

What can I do?? How can I deal this situation.

↧

Create a User using the PHP SDK

August 5, 2013, 1:29 am

≫ Next: Splunk User is Created automatically when i done a splunk installation ??

≪ Previous: All roles are deleted except user. Help!!

I'm building a PHP web app that uses the Splunk PHP SDK and I've hit a brick wall trying to create a new Splunk user.

Ideally when a user account is created in my app, a corresponding account should be created in Splunk with the same credentials.

I've read up on the REST documentation and found the correct Endpoint - authentication/users/ but as far as I can tell the PHP SDK does not support creating an Entity that is not part of a Collection as Splunk_Entity does not have a create() method.

I have successfully created dashboards using the SDK which are Splunk_Collection objects, and gathered system info from server/info as a Splunk_Entity.

I have attempted to create a user by using create() on a Splunk_Collection, but as authentication/users does not have a namespace when the collection is returned a fatal is thrown attempting to check the non-existent namespace:

Fatal error: Call to a member function children() on a non-object in /var/www/html/dev/plugins/splunk_connector/sdk/Splunk/AtomFeed.php on line 45

In summary, my questions are:

How (if at all) can I create an Entity using the PHP SDK?
How do I create a User using the authenticaiton/users Endpoint?

↧

Splunk User is Created automatically when i done a splunk installation ??

August 26, 2013, 6:38 am

≫ Next: Scripted Auth in 4.3 with User Email

≪ Previous: Create a User using the PHP SDK

Hi ,

I have used a rpm installation of SPLUNK Forwarder 5.0.4 and installed in my linux server ,upon installation i could see a user created as "splunk" and group name as "splunk" , is this the expected behaviour ?? How can i stop creating a user for this and use my own user for this installation ?

↧

Latest Images