I agree to that. There is a confusion about what is "bidirectionnal" here. Any TCP connection, once opened by a source towards a destination on a specified port, will have data flowing in both directions by design: https://tools.ietf.org/html/rfc793#section-1.5. When firewall configuration considerations happen, then the true question to answer is not about flow but rather "who opens that connection ?". Who is the source and who is the destination ? That is what IT staffs asks me all the time : give me your "source + destination + protocol + port involved" (see, this is a one way rule). Now, I think the deployment server never initiates/opens a connection to the FWDers (poll mecanism from fwders to DS), so to agree with the response above and below made by @jkat54 and @jtacy : on the firewall => unidirection/one way rule for tcp traffic (1 firewall rule allowing connection from FWD => DS). Hope it helps and confirms the answers made so far by @jkat54 and @jtacy. ... View more

Hi there, 2 years late but never too late though as I have (had) the same question. There are several solutions but in a cluster context a best practice is to indeed forward summary indexes data to the indexer cluster layer. I invent nothing, I just read it here: https://docs.splunk.com/Documentation/Splunk/7.3.0/DistSearch/Forwardsearchheaddata By forwarding the results of summary index searches to the indexer level, all search heads have access to them. Otherwise, they're only available to the search head that generates them. A summary index is a regular index so it can be managed like any other index. Cheers. ... View more

It still ask for authentication even using sudo in front of the command ... (splunk version 7.2.3). I can say I am 100% sure my user is correctly set up "sudowise" and he does not need to enter any password on regular linux command such as "sudo updatebd"... I don' t get it (yet). ... View more

The CSS is correct: /* Choropleth Hide Map Legend */ .legend.leaflet-control { visibility: hidden !important; } It works also when using SplunkJS on an external Webapp. ... View more

I think charting.legend.placement is not the right option to use for a choropleth map. Using simpleXML in Splunk UI, I successfully used <option name="mapping.legend.placement">none</option> instead. This is not well documented in the reference available at https://docs.splunk.com/Documentation/Splunk/7.2.3/Viz/PanelreferenceforSimplifiedXML (search for Complete Choropleth map example). I found it by simply editing the source generated in my dashboard in Splunk UI for my choropleth object ("Format Visualization" button) when I checked "Show Legend" to "no". Using SplunkJS in my own external webapp, on the other side, "mapping.legend.placement":"none", has no effect. ... View more