Quantcast
Channel: Questions Tagged With user
Viewing all 118 articles
Browse latest View live

Report search / indexer storage quota

0
0

After experiencing our own version of user quota issues addressed in other questions, I want to execute a search in Splunk for

  • how much space is used by (a given set of) users
  • what are those users' quota

Splunk knows the values since it enforces the quota, and it will display the current usage and quota to over-quota users. However, I have not found how to access this. Nor have I seen how to calculate sizes of enough components (such as indexes) to build the search myself. The biggest item I can't find is saved searches.

What search(es) in Splunk show this information? Thanks.


Prevent Alerts From Running a Script

0
0

Is there a way to create a user role that can create alerts that can be mailed to an inbox but not have the ability trigger a script? I am looking in to creating a script that sends SNMP traps to an alerting program but I don't want someone randomly deciding to use this script on their personal alert.

I don't want to take away the capability of someone to create a personal alert, just the possibility of that alert actually triggering an incident in my monitoring program.

I know the schedule_searches capability prevents the creation of an alert, but again, I just want to stop the ability to trigger a script based on an alert.

Thanks!

Is it possible to Monitor Splunk User activity?

0
0

Is it possible to Monitor Spunk User activity of users using Splunk, based on Splunk internal Logs?

If so What would be the best place to start monitoring?, if there was an already built Splunk App for this that would be a great advantage :)

If the above isnt possible, what would be the best alternative?

search for Count of users per minute for a hour

0
0

user activities are captured in _audit index. Using this i would like to see how many users are active on a given minute for an hour. I tried this

index=_audit | dedup user | timechart span = "1m" count(user)

but dedup worked on the whole time frame instead of every minute. Any help would be appreciated.

How to add the user who is performing a search as an event field

0
0

We use some lookup tables to whitelist and blacklist events by src_ip. I've created a view that allows a user to input a src_ip and have that added to the lookup table. The search looks like:

index="logentry" | head 1 | eval src_ip=$src_ip$ | eval status="blacklisted" | eval comment=$c omment$ | inputlookup append=t ip_blacklist_lookup.csv | dedup src_ip | table src_ip,status,commen t | outputlookup ip_blacklist_lookup.csv

Is it possible to automatically append the user who executes the search as a field in the data? I'd rather that users not have to enter (or fail to enter) their username.

Can a view run a search on load like a dashboard can? I suppose I could search the _internal index on page load for the most recent event of that page loading and get the username there. Would that require giving the user access to the _internal index or could the view run that search as Splunk itself?

Thx.

Craig

What Does This Message Mean - UserManagerPro - Unable to get authentication token from peer 'https://{IP_ADDR}:{PORT}'.

0
0

I am setting up a new Search Head server. Everything (almost) seems to be working OK so far but I see this message appearing in the splunkd.log for both of my Indexer Servers:

UserManagerPro - Unable to get authentication token from peer 'https://{IP_ADDR}:{PORT}'.

I have looked up this message here in Answers and in the doc but nothing comes up related to it. Have you seen this before? Any ideas of what I need to correct to resolve it?

This is my first full system install and I'm lovin' the learnin'! (8->)

User Permissions

0
0

Tom has "POWER" ROLE that inherits "USER" Role and has more capabilities. Tom creates dashboard "Dash1" Tom wants to share Read access to ROLE "TOM-TEAM-ROLE". Tom is not able to see "permissions" link against "Dash1"

I'm an Admin. I have complete access to splunk. What should i do to enable permissions link against "Dash1" for Tom.

Role capabilities

0
0

All,

Is it possible to give certain roles the ability to control users. I do not want to give this role admin rights, but I want them to add users.

I have tried the capabilities of "edit_user" and "edit_roles" but it doesn't appear to do much really, is there something I am missing...

Cheers,

MHibbin


role permission

0
0

I create a role [role_mmuser]

admin_all_objects = enabled change_authentication = enabled edit_deployment_client = enabled list_deployment_client = enabled edit_deployment_server = enabled edit_dist_peer = enabled edit_forwarders = enabled edit_httpauths = enabled edit_input_defaults = enabled edit_monitor = enabled edit_roles = enabled edit_scripted = enabled edit_search_server = enabled edit_server = enabled edit_splunktcp = enabled edit_splunktcp_ssl = enabled edit_tcp = enabled edit_udp = enabled edit_user = enabled edit_web_settings = enabled indexes_edit = enabled license_edit = enabled license_tab = enabled list_forwarders = enabled list_httpauths = enabled rest_apps_management = enabled restart_splunkd = enabled

This enables the windows specific capabilities for admin

edit_win_eventlogs = enabled edit_win_wmiconf = enabled edit_win_regmon = enabled edit_win_admon = enabled edit_win_perfmon = enabled list_win_localavailablelogs = enabled list_pdfserver = enabled write_pdfserver = enabled

importRoles = power;user srchIndexesAllowed = ;_ srchIndexesDefault = main;os srchFilter = * srchTimeWin = 0 srchDiskQuota = 10000 srchJobsQuota = 50 rtSrchJobsQuota = 100

I have made it the same as admin, but still can't input data?Why and how? Thanks!

Why should i run reload auth every time i add users (LDAP enabled)

0
0

We are having LDAP enabled for user management. I add user id in authentication.conf. then run the command splunk reload deploy-server. This command pushes authentication.conf to all pooled Search Head.

How ever users are not able to login.

Only after running 'splunk reload auth' in each SearchHead, user is able to login.

why should i run reload auth in every search head ? Is there any alternative ?

I'm seeing the below note in the link http://docs.splunk.com/Documentation/Splunk/latest/admin/SetupuserauthenticationwithLDAP

but i will have to reload auth when i add new users. Else they are not able to login.

Should i make some other changes?

Note: Splunk automatically checks LDAP membership information when a user attempts to log into Splunk. You do not need to reload the authentication configuration when adding or removing users.

how can I disable "View results" for user

0
0

I did not hope user group to do the "View results" action in dashboard,how can I make it ? Thank you !

user addition issue

0
0

I add users in authentication.conf. I push them to SH. The updated file resides on .../primary/.. But when i reload (which i have to do for some reason), a new copy of authentication.conf is automatically created and is placed in ../etc/system/local/

this system/local copy overrides the one in primary.

Now i have to delete this system/local copy every time i add users to see newly added users in UI.

Is there a way to avoid this step ?

What Capabilities do I need to enable so a user can change sharing permission on their searches?

0
0

What Capabilities do I need to enable so a user can change sharing permission on their searches?

How to configure syslogd under OSX to send all user logon events via AFS and SMB to syslog

0
0

Hi, new here and to splunk - i'm hoping to use splunk to help audit security events under OS X server (running 10.7.4) for both Apple File Server events and SMB server events.

I've got splunk running fine and have the OS X server's syslogd forwarding, in theory, all events to splunk via adding this to syslog.conf and bouncing syslogd after: . @{my.server.ip.address}

splunk is happily consuming data from the OS X server, but when I make some AFP or SMB connections to it, I don't see anything show up.

Any ideas? I can see some historical events of these tyoes in the system.log viewer in the Console, but my test events don't show up there either.

thank you for any help! -a

Access denied for user: '@domain'

0
0

I have configured connection to my Mysql database, but I cannot access to it when I click "Explore your MySQL databases. Below is my configuration which is standard and simple. [database-server.domain] host = database-server.domain port = 3312 schema = DBSchema username = username password = password __f_ns = MySQL

When I go to Explore your MySQL databases I get error on the top of page with alert:

(1045, u"Access denied for user: '@splunk.server.domain' (Using password: NO)")

Interesting thing is that there is no username in the alert. I have no idea why.


How to setup a load balancer for search heads.

0
0

How to setup a load balancer between search head and users ? I do have a VIP address with a stick protocol enabled on two ports.

Scripted Auth in 4.3 with User Email

0
0

Anyone get Scripted Auth working in 4.3 (or any other version) where the user's email address is populated? I can't find any way to do this in the documentation, but seems necessary because so much of what can be done with Splunk assumes that you have an email address. What makes this much worse is that users who have been populated with Scripted Auth cannot be edited from within the Manager UI, so I am unable to set the users' email addresses manually, as well.

I am currently using PAM auth (by necessity -- don't ask), and I can easily use an algorithm to set the user's email address, if only I knew where. In that past I've used Splunk with AD/LDAP auth and had no trouble with email address population.

How to profile a User?

0
0

Hello,

I am looking for ways to profile a user's "typical" account usage. For instance, if a user normally logs in from 8am - 5pm, but then all the sudden the user starts logging into a system at 12am that wouldn't be normal in most cases.

Another idea... Logon duration times, multi-machine logins, etc.

Just curious if anyone is doing any use profiling in this manner that's easily duplicated in our environment. We log everything (even process execution).

Thanks

OS and browser extraction from useragent

0
0

Hi,

I need to extract OS and browser details from useragent. Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) I need to capture Web Browser Version and Operating System Version from each user per visit. Is there any easy way that I can get the info instead of writing python script?

User signon issues

0
0

So there I was logging onto Splunk-base when do you know what happened? I can only assume my last upvote caused a split in space and time as I've just logged in and something appears to have gone very very wrong...

My user signon is Draineh for the nickname Drainy but clearly this has gone sideways... Halp? Drainy still exists! Do I need to embark on some sort of journey of self-discovery to find myself again? Whatever will happen next?

alt text

Viewing all 118 articles
Browse latest View live




Latest Images