cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Brainizer
Engager
Member since: ‎11-15-2021
‎12-01-2023
Community Statistics
Posts 5
Solutions 0
Karma Given 1
Karma Received 0
Member Since ‎11-15-2021
Activity Feed
View All

Re: Making indexes available to searchhead without...

by in Deployment Architecture
‎12-01-2023 04:38 AM
‎12-01-2023 04:38 AM
I said "config files" followed by an actual config file path in my first post. But for clarification. I check it with `btool` and `show config`. I am also aware that the config files are not automatically active if I change them on disc. I do a restart (Not debug refresh) if I change anything on disk. I also keep track of the restarts. The SH is also not part of a SH cluster which could also be a source of confusion. I don't use any other remote managing agents which could change the files. About the two commands you kindly provided. Neither `splunk btool` or `splunk show config` has the indexes definition for index_a or index_b on the SH. Only on the IX. Authorization is set only for index_a in etc/systems/local/authorization.conf for a specific group. Please take note that I cant just post the outputs of the commands because there is some confidential information within.  ... View more

Re: Making indexes available to searchhead without...

by in Deployment Architecture
‎12-01-2023 12:07 AM
‎12-01-2023 12:07 AM
Yes as I said in my post I checked the config files and there are no definitions of both indexes on the SH. Only on the IX and on the IX they are identical except the name.  ... View more

Making indexes available to searchhead without ind...

by in Deployment Architecture
‎11-30-2023 10:15 AM
‎11-30-2023 10:15 AM
Scenario: I have a searchhead and two idx in a cluster. there is an index (index_a) defined in the cluster. Until now I always deployed a copy of the indexes.conf with a mock index on the SH, for example to manage role permissions for it.  This was helpful to show the index in the role definition. However in this deployment there is no such indexes.conf file where index_a is defined on the SH, but the index still shows up in the configuration UI. All instances have Splunk Enterprise 9.0.5.1 installed Problem: I have a new Index that I defined after index_a. It is called index_b. index_b doesn't show up in the roles definition for some reason.  What I tried: I looked up the name of index_a in the config files of the searchhead. The only appearance is in system/local/authorize.conf. I also compared the index definitions on the CM including file permission settings. The two configurations only differ in index name and app. I also set up a test environment with one indexer and one searchhead. I created one index on the IX and it appeared on the SH role definition some time later without me configuring anything. Again I verified if the name of the index appears anyway in the SHs configs, but it didn't. Question: Is there a new feature which makes the mock definitions in the SH obsolete? I am aware that I can solve this with this approach but it appears to be a nicer way to do it like it is done with index_a ... View more

forwarding baked HEC traffic between two Splunk En...

by in Getting Data In
‎11-02-2022 04:04 AM
‎11-02-2022 04:04 AM
Hello, I would like to forward data between two splunk instances in clear text. For that I use HEC. This is my outputs.conf .    [httpout] httpEventCollectorToken = <HEC_TOKEN> uri = http://hec_target:8088   I would like to inspect the events with a third party application, but they appear to be encoded in s2s. Also this configuration sends the events to the /services/collector/s2s endpoint, which is not the same one would forward clear text (JSON) events to. Is there any way to send the events in a readable format? I am aware there is syslog output. I would try it if there is no possibility to change the HEC output accordingly.  Thanks in advance. ... View more
Labels

Re: Storing encrypted credentials and retrieving t...

by in Security
‎11-15-2021 12:08 PM
‎11-15-2021 12:08 PM
Just had the same problem. What the documentation does not say is that the field values have to be "username" and "password". One can't define their own ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎12-01-2023 12:37 AM
Karma given to
View All