Every search that contains a lookup or inputlookup function fails with the message stating that the lookup table is invalid. This appears to happen only for the User role. As Admin I have no problem. All of my lookup tables are flagged as Global with everyone read and Admin write. I have flagged some as everyone read and write and it still throws the error. It worked with version 5.0.4
I am running Splunk 6.0.2 build 196940
Hello everyone: My idea is: There are three types of users, I would like to show different views who the the types of user . Can this do with Splunk?
Hi, I have created LDAP configuration in our SPLUNK deployment.
[authentication] authType = LDAP authSettings = SHC
[SHC] host = XXXXXXXXXXXXXXXXXXXXX port = 389 SSLEnabled = 0
realNameAttribute = cn userBaseDN = ou=people,o=intra,dc=sears,dc=com userBaseFilter = (objectclass=*) userNameAttribute = uid
groupBaseDN = ou=people,o=intra,dc=sears,dc=com groupBaseFilter = (objectclass=*) groupMappingAttribute = uid groupMemberAttribute = uid groupNameAttribute = uid
[roleMap_SHC] admin = lbirnba;pbussie;rsen0;vjaiswa
All the users have got added. But they they are not able to login(except for the admin users). I think I need to assign each user to a role before they can login. I am thinking of assigning the "user" role to all users. How do I achieve that without using groups. We do not use groups in our LDAP.
How would you move all the current ldap users information, user roles, password, etc and create a local account for them instead?
Hello Everyone,
I have a situation , I have one app which has 10 dashboards, out of these 10 dashboards 5 are for Finance 2 for Wintel and 3 for network team.Client asks me to provide access to only respective users only .I mean user belongs to Finance can only see finance dashboards and Wintel user can only see wintel dashboard and so on. Please suggest what to do..?
Thanks Vikas
In the below log file: the users are JACK, ROGER
I used something like this: source="/var/log/splunk/splunkcloud/" message=User*
I need to just get the User from the below message string.
{[-]
app : "test_res",
level : 1,
message : "User JACK logged into Serv from IP address: x.xx.xxx.xx",
time : "2014-04-16T17:28:26+00:00"
}
Show as raw text
date_hour=17 Options| date_mday=16 Options| date_minute=23 Options| date_month=april Options| date_second=2 Options| date_wday=wednesday Options| date_year=2014 Options| date_zone=local Options| host=splunk Options| index=main Options| linecount=1 Options| punct={"":"","":"_:...","":,"":"--::+:"} Options| source=/var/log/splunk/splunkcloud.log Options| sourcetype=access_combined Options| splunk_server=splunk Options
2 » 4/16/14
5:23:02.000 PM
{[-]
app : "test_res",
level : 1,
message : "User ROGER logged into ownCloud from IP address: xx.xx.xxx.xx",
time : "2014-04-16T17:28:25+00:00"
}
Show as raw text
date_hour=17 Options| date_mday=16 Options| date_minute=23 Options| date_month=april Options| date_second=2 Options| date_wday=wednesday Options| date_year=2014 Options| date_zone=local Options| host=splunk Options| index=main Options| linecount=1 Options| punct={"":"","":"_:...","":,"":"--::+:"} Options| source=/var/log/splunk/splunkcloud.log Options| sourcetype=access_combined Options| splunk_server=ala-splunk
We've all seen this message. Disk usage quota (user-level) has been reached. usage=540MB quota=500MB. Then after a while the user concurrent search quota error will hit due to queuing. Then their other scheduled searches get skipped. All the while the user has no idea if they aren't actively logged in to Splunk.
When I am creating a new user, is there a way to 1) Send him a welcome email through splunk? 2) Force him to change his password the first time he logs in (much list the admin user must do on the initial install)?
I recently created 20 users and had to email each of them with their user name and a link to our splunk install. Then i had to strongly suggest they change the password I set for them, but I did not see a way to enforce that.
I have a team of users who only need brief access to my splunk environment.
Is there a way to take either a user or a role, and apply them, say for 30 day's, and then the accounts are disabled / deleted?
Hello, I am enhancing an existing Splunk instance and I want to build or find a report that will tell me who accessed the system and when, and what searches or reports they ran. Is there a canned report that will tell me this information? If not, can someone help me define the search to turn up this information? Thanks.
We have multiple department and its data indexed into splunk indexer, how can we define roles / permission to access their specific department content / search / indexes / sourcetype. if a user "A", belong to department "D1" and "D2", User "A" should have only permission to their SourceType / content / search / dashboard belongs "D1" and "D2".
Can you please suggest the optimized solution for this in splunk user management?.
I do have Search head with 16 cores & 2Gb RAM Memory , using Splunk 5.x
As , per the calculation for Concurrent search , My system wide Concurrent search is 22
max_hist_searches = max_searches_per_cpu x number_of_cpus + base_max_searches
max_hist_searches = 1 x 16 + 6 => 16 + 6 => 22
22 is the maximum number of concurrent search that my search hear can handle.
I do see for 'admin' role the values are as below :
Limit concurrent search jobs = 50
Limit concurrent real-time search jobs =100
These values are present by default in the Splunk web under authrorize.conf file.
How does the maximum concurrent search jobs limit can be 50 , when the system wide range itself 22 ?
Also , if I do specify the a count greater than the system wide limit does Splunk overrides the value within the allowed range ?
In this case , how do other users are affected , when 'admin' user takes the full control when he has maximum concurrent search limit ?
I am confused in this. Please advise on how to limit the users on concurrent search , considering the system wide limit.
Hi,
I want to give access to my splunk customers users acccess to only specific imndexes and not main indexes.
I also want to restrict that they search on that specific index and not main index, so if i created an index called si_test - the user by default should search in si_test and have access to this index data only - is that possible?
In relation to Splunk for PCI Compliance, what happens when Splunk finds a user in the events which is not listed in identities.csv? Is this user auto-categorized as "unknown user" or something similar?
After creating an user through the ruby SDK, i am able to list it down on terminal using Ruby SDK, but the user is not shown on the Splunk GUI when logged in via admin.
Does the app use the Splunk forwarder?
I need to find which user ran a specific dbquery such as 'select * from table1'. Can someone tell me how to search splunk for this?
Thanks, j
Hello all,
In the triggered alert section, is there a way to restrict users in a specific group from seeing triggered alerts from another user group?
I am working with a customer who is reporting that a specific user can visualize alerts from users in groups other than his.
Is there a way to prevent this kind of situation?
Thanks-
hi!
Since splunk 6.1.1 we encounter a problem because boot-start creates an init-script which causes the splunk process to run as user splunk - but group 0 (root) - but the files to be indexed are only available to the group splunk.
Is there a way to force the splunk-process to run as splunk:splunk?
something like
SPLUNK_OS_GROUP=splunk
(which doesn't work) in etc/splunk-launch.conf ?
regards,
philipp
Following this example to list user and display properties from here: http://dev.splunk.com/view/python-sdk/SP-CAAAEJ6#listusers ends up in the following error:
Users:
Administrator (admin)
Traceback (most recent call last):
File "splunk.py", line 16, in <module>
for role in user.role_entities:
File "/usr/lib/python2.6/site-packages/splunklib/client.py", line 3054, in role_entities
return [self.service.roles[name] for name in self.content.roles]
File "/usr/lib/python2.6/site-packages/splunklib/client.py", line 3195, in __getitem__
return Collection.__getitem__(self, key.lower())
File "/usr/lib/python2.6/site-packages/splunklib/client.py", line 1163, in __getitem__
raise KeyError(key)
KeyError: 'admin'
shell returned 1
Copied and used the code snippet from above link, and logged in as admin using following
service = splunkclient.connect(host='sh1.hostname',
port=8089,
username='admin',
password='adminpassword')
# Get the collection of users, sorted by realname
kwargs = {"sort_key":"realname", "sort_dir":"desc"}
users = service.users.list(count=-1,**kwargs)
# Print the users' real names, usernames, and roles
print "Users:"
for user in users:
print "%s (%s)" % (user.realname, user.name)
for role in user.role_entities:
print " - ", role.name
Using splunk 6, python sdk 1.0.0. Can someone please help to overcome this issue?
Dear experts, I installed splunk on the rhel servers. Majority of the time it works fine. But for this one server, when I tried to change ownership of a directory, chown -R splunk:splunk ./***deploymentclient/
it says
chown: invalid user: `splunk:splunk'
Can someone please tell me why the splunk install failed to create a splunk account on the machine?
And how do I resolve this? is it a simple useradd, etc?
Thanks,
Hi all, we are looking at Splunk as a potential source to identify users that have long periods of inactivity. If there is no formal "logged out" or "timed out" message to queue on in the logs, would there be some way to determine time between last activity and then after a specified period of inactivity, the user is considered "logged out by inactivity" and added to a report that will be sent daily? Is this within Splunk's capabilities? If so, would this require any special scripting beyond a complex search?
I know this is pretty vague and I don't have a lot of specifics yet, but just wanted to throw it out and get some initial feedback. I'll provide updates as things progress.
Thanks
We'd like to be able to store user preferences for one of our apps. There is already a $SPLUNK_HOME/etc/users directory for each user, and it looks like some app-specific info already gets stored there (e.g. $SPLUNK_HOME/etc/users/me/myapp/local/ui-prefs.conf). However, everything that I've seen in the etc/users directory is managed by Splunk itself. Is there any provision for an app to store its own user preferences? If so, is there an example somewhere of how that would be done?
Thanks! Steve
Dear All,
Can anyone Guide me in understanding the functionality of Splunk Users. when we define users in splunk we can assign 5 roles
1) Admin
2)user
3)can_delete
4) power
5)Splunk-System-Role
Can anyone tell me what are the functionality of these roles
Thanks
Gajnan Hiroji
Should we run Splunk as root or non-root user? Which way is better?
Thanks -Ha
Hi,
I am working with code that sends data to Splunk indexes via the Python SDK (splunklib.client). I want to create a custom user for the purpose of this code. That is, a user who's privileges are strictly that of writing data into a small number of indexes and be otherwise restricted from writing elsewhere.
I currently have a user with just the capability 'edit_tcp' and the 4 indexes I want specified for search capability, but this does not seem to restrict the write capability when using the .send() python function.
Any help would be apreciated, thanks.
I am new user to Splunk and having difficulty understanding how to use it. I have some questions to start with. Please answer it, so that my use of Splunk can be easy
1) Does Splunk need to be installed on every server, whose log files are to be searched ?
2) If I install Splunk on my laptop, how do I specify files to be indexed and what fields to be indexed ? Is every file that need to be indexed, need to be specified in Splunk ?
3) If I have installed Splunk on 6 servers, how can I link all these instances for viewing ? eg I have installed Splunk on 3 servers and then I install it on 4th server, how do I add this 4th server in th UI to make it available for viewing ?
4) Do I need to specify which event to index from a file ?
Are all these things for a user OR Administrator OR developer ?
What language knowledge does a Splunk developer need ?
Does a Splunk Administrator need knowledge of operating system only OR does he need anything more than that ?
Thanks
All,
I want to set up a db connection via Splunk DB Connect to a database. We've given the main Splunk local user (i.e. the user name that owns the Splunk processes) access to the database.
There doesn't appear to be an option in DB Connect to just run as the default Splunk user though. I'm forced to supply some username/password to log into the database. Is there a way to get Splunk DB connect to just run as the Splunk local user?
Thanks!
I have a large pool of users and would like to send each of them a report on how many items they completed that day. I would prefer not to manually create a report for each user since each report will only differ by username and email. Is there a file I can work with to get this done?
I am in need of a search that will display the number of Distinct users by index over the past 3 months. I have created the following search and run it over a 3month time span but I am wondering if this is the correct approach.
index=_audit NOT user="n/a" NOT user="splunk-system-user" action="search" info="granted" "search index=indexname" | timechart span=1mon count(_raw) by user
Please Advise Thanks in Advance.
