Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About ashutosh2020
ashutosh2020
Explorer
Member since:
07-26-2018
06-13-2021
Community Statistics
| Posts | 7 |
| Solutions | 0 |
| Karma Given | 9 |
| Karma Received | 0 |
| Member Since | 07-26-2018 |
Activity Feed
- Karma Re: Why is my Splunk deployment server failing with the following message: "Name may not be empty or all-whitespace" for kamalbeg. 06-05-2020 12:50 AM
- Karma Re: Unable to open external link in new tab ; -blank not working for swmishra_splunk. 06-05-2020 12:50 AM
- Karma Re: Disambiguation of the meaning of "nobody" as an owner of an objects in the manager for yannK. 06-05-2020 12:50 AM
- Karma Re: Splunk SAML authentication - Data Confidentiality issue for nickhills. 06-05-2020 12:50 AM
- Karma Re: Splunk SAML authentication - Data Confidentiality issue for suarezry. 06-05-2020 12:50 AM
- Karma Re: Question about LINE_BREAKER and SEDCMD for harsmarvania57. 06-05-2020 12:50 AM
- Karma Re: How can i encrypt indexed data? for esix_splunk. 06-05-2020 12:48 AM
- Karma Re: How Do I Remove Old SAML Users? for djung. 06-05-2020 12:48 AM
- Karma Re: Restrict Index access for GKC_DavidAnso. 06-05-2020 12:46 AM
- Posted Re: Question about LINE_BREAKER and SEDCMD on Getting Data In. 09-24-2019 05:27 AM
- Posted Re: Question about LINE_BREAKER and SEDCMD on Getting Data In. 09-19-2019 01:54 AM
- Posted Re: Question about LINE_BREAKER and SEDCMD on Getting Data In. 09-19-2019 01:18 AM
- Posted Question about LINE_BREAKER and SEDCMD on Getting Data In. 09-18-2019 04:06 AM
- Tagged Question about LINE_BREAKER and SEDCMD on Getting Data In. 09-18-2019 04:06 AM
- Tagged Question about LINE_BREAKER and SEDCMD on Getting Data In. 09-18-2019 04:06 AM
- Tagged Question about LINE_BREAKER and SEDCMD on Getting Data In. 09-18-2019 04:06 AM
- Posted Re: How Do I Remove Old SAML Users? on Security. 03-18-2019 06:57 AM
- Posted Re: Splunk SAML authentication - Data Confidentiality issue on Security. 03-18-2019 05:32 AM
- Posted Splunk SAML authentication - Data Confidentiality issue on Security. 03-18-2019 04:22 AM
- Tagged Splunk SAML authentication - Data Confidentiality issue on Security. 03-18-2019 04:22 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 |
09-24-2019
05:27 AM
Dear @harsmarvania57
your suggestions have helped a lot.
I am able to resolve the issue. I have completely rebuilt the add-on with fresh configurations. There was something overriding my previous configurations (or might be some bug), but now it is working perfect.
Thanks for your timely help.
... View more
09-19-2019
01:54 AM
Reducing the number of events is not possible. I have created a file input with the lesser number of records to test. This method works in single instance splunk enterprise but fails in HF--->Indexer scenario.
SHOULD_LINEMERGE is false and removed. And I have changed your (\,\s\n\s) to (\,\s) which suits my data.
I will be looking at the TRUNCATE limits.
... View more
09-19-2019
01:18 AM
Thanks harsmarvania57,
I have tried all those combinations of regex, all the regex match perfectly to the log text. Sadly, it does not break the line. I used LINE_BREAKER to break at every "," or "}" just to test the functionality, and it does not work either. This clarifies, there must be some other configuration, I missed or something else overriding.
do you have any other checks? There is no warning or error in the internal logs.
I will have more than 70,000 records in one event, will this make any impact?
... View more
09-18-2019
04:06 AM
This is a long question.
We have a Heavy Forwarder and an Indexer cluster (managed through indexer cluster master.) I have a scripted input that pulls some data which is in "array of json" format. To remove the complication of array of jason, I am using SEDCMD, which works perfect. But my LINE_BREAKER does not work.
The custom add-on which has the input is hosted on the Heavy Forwarder and the props.conf is present on both HF as well as Indexers. The props.conf works perfect if I upload the data to a Single Instance Splunk Enterprise but does not work in HF--> Indexer scenario.
I have tried implementing combinations of the props.conf on both HF and Indexers, but LINE_BREAKER does not work.
Below my props.conf, I have used several combinations of the LINE_BREAKER as well as MUST_BREAK_AFTER (LINE_MERGE = TRUE)
[testdata_api]
SHOULD_LINEMERGE = 0
category = Splunk App Add-on Builder
pulldown_type = 1
#LINE_BREAKER = ((?<!"),|[\r\n]+)
#LINE_BREAKER = (\}\s+)
LINE_BREAKER = ((\}\,)|(\}\s+))
#SEDCMD-remove_prefix = s/{\n\"Report_Entry":\s\[//g
#SEDCMD-remove_trailing_commas = s/\},/}/g
#SEDCMD-remove_footer = s/\]\s\}//g
#SHOULD_LINEMERGE = true
#MUST_BREAK_AFTER = (\}\s)
Below is the sample of how my data looks like
{
"Report_Entry":
[{
"field1": "value1",
"field2": "value2",
"field3": "value3",
"field4": "value4",
"field5": "value5",
"field6": "value6",
"field7": "value7",
"field8": "value8",
"field9": "value9",
"field10": "value10"
},
{
"field1": "value1",
"field2": "value2",
"field3": "value3",
"field4": "value4",
"field5": "value5",
"field6": "value6",
"field7": "value7",
"field8": "value8",
"field9": "value9",
"field10": "value10"
},
{
"field1": "value1",
"field2": "value2",
"field3": "value3",
"field4": "value4",
"field5": "value5",
"field6": "value6",
"field7": "value7",
"field8": "value8",
"field9": "value9",
"field10": "value10"
},
{
"field1": "value1",
"field2": "value2",
"field3": "value3",
"field4": "value4",
"field5": "value5",
"field6": "value6",
"field7": "value7",
"field8": "value8",
"field9": "value9",
"field10": "value10"
}]
}
Below is the out put of btool
/opt/splunk/etc/apps/TA-testdata_api/local/props.conf [testdata_api]
/opt/splunk/etc/system/default/props.conf ADD_EXTRA_TIME_FIELDS = True
/opt/splunk/etc/system/default/props.conf ANNOTATE_PUNCT = True
/opt/splunk/etc/system/default/props.conf AUTO_KV_JSON = true
/opt/splunk/etc/system/default/props.conf BREAK_ONLY_BEFORE =
/opt/splunk/etc/system/default/props.conf BREAK_ONLY_BEFORE_DATE = True
/opt/splunk/etc/system/default/props.conf CHARSET = UTF-8
/opt/splunk/etc/system/default/props.conf DATETIME_CONFIG = /etc/datetime.xml
/opt/splunk/etc/system/default/props.conf DEPTH_LIMIT = 1000
/opt/splunk/etc/system/default/props.conf HEADER_MODE =
/opt/splunk/etc/system/default/props.conf LEARN_MODEL = true
/opt/splunk/etc/system/default/props.conf LEARN_SOURCETYPE = true
/opt/splunk/etc/apps/TA-testdata_api/local/props.conf LINE_BREAKER = (\}\,)
/opt/splunk/etc/system/default/props.conf LINE_BREAKER_LOOKBEHIND = 100
/opt/splunk/etc/system/default/props.conf MATCH_LIMIT = 100000
/opt/splunk/etc/system/default/props.conf MAX_DAYS_AGO = 2000
/opt/splunk/etc/system/default/props.conf MAX_DAYS_HENCE = 2
/opt/splunk/etc/system/default/props.conf MAX_DIFF_SECS_AGO = 3600
/opt/splunk/etc/system/default/props.conf MAX_DIFF_SECS_HENCE = 604800
/opt/splunk/etc/system/default/props.conf MAX_EVENTS = 256
/opt/splunk/etc/system/default/props.conf MAX_TIMESTAMP_LOOKAHEAD = 128
/opt/splunk/etc/system/default/props.conf MUST_BREAK_AFTER =
/opt/splunk/etc/system/default/props.conf MUST_NOT_BREAK_AFTER =
/opt/splunk/etc/system/default/props.conf MUST_NOT_BREAK_BEFORE =
/opt/splunk/etc/system/default/props.conf SEGMENTATION = indexing
/opt/splunk/etc/system/default/props.conf SEGMENTATION-all = full
/opt/splunk/etc/system/default/props.conf SEGMENTATION-inner = inner
/opt/splunk/etc/system/default/props.conf SEGMENTATION-outer = outer
/opt/splunk/etc/system/default/props.conf SEGMENTATION-raw = none
/opt/splunk/etc/system/default/props.conf SEGMENTATION-standard = standard
/opt/splunk/etc/apps/TA-testdata_api/local/props.conf SHOULD_LINEMERGE = false
/opt/splunk/etc/system/default/props.conf TRANSFORMS =
/opt/splunk/etc/system/default/props.conf TRUNCATE = 10000
/opt/splunk/etc/apps/TA-testdata_api/local/props.conf category = Splunk App Add-on Builder
/opt/splunk/etc/system/default/props.conf detect_trailing_nulls = false
/opt/splunk/etc/system/default/props.conf maxDist = 100
/opt/splunk/etc/system/default/props.conf priority =
/opt/splunk/etc/apps/TA-testdata_api/local/props.conf pulldown_type = 1
/opt/splunk/etc/system/default/props.conf sourcetype =
I need to know, if there is any precedence of LINE_BREAKER over SEDCMD? or what causes the LINE_BREAKER to fail in my case?
... View more
03-18-2019
06:57 AM
This was a lot helpful, now i understood how this mechanism works.
... View more
03-18-2019
05:32 AM
ok, Can we atleast have a way where the SAML does not create users on it's own?
... View more
03-18-2019
04:22 AM
Hi,
I am using SAML Authentication with an IDP for SSO. Everything works perfect unless we noticed an issue. The users created by our Identity Provider receives a User Level access. The SSO receives users from our Active Directory. The issue arises when the AD team can create any random user and add him to our group and immediately the user receives User Level access to splunk.
The challenge occurs when the Splunk Admin can not control the user created through SAML. Splunk Admin can not delete / change user role of the SAML users. Splunk Admin can make changes to the users created in Splunk Native Authentication as always.
If someone from AD team decides to some mischievous activity, he can create a user and get a direct access to Splunk. There is no 'check' at the splunk side if someone is authorized to access my data or not. If a user gets created under Admin in the AD, he can be dangerous.
Moreover, if Splunk Admin wants to assign a new role to a SAML user, he will not be able to do so. In such case we are completely dependent on the AD team. This becomes an operational issue, as well as it opens gate to data confidentiality.
Please guide me on how to get over this and solve the issue. I might be doing something in an incorrect way and facing the case.
Following are few more points to note.
1. The way we are integration with SAML is incorrect?
2. Can we control user authorization on the splunk side?
3. If we happen to create a user role with lease possible capabilities and assign every new user to that Role, what capabilities the users will have. Even after this, splunk admin is not able to change the user capabilities.
Please help me with the above.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-13-2021
04:50 PM
|
Karma given to
