Sure... When you do group mapping, map them to groups that don't have the domain admins in them. I have a separate OU=Groups that has "Splunk Users, Splunk Admins, Splunk Power Users" as group names, and specific users…
I want to give LDAP access to my splunk servcie but I don't want the LDAP users to have admin capabilitys in Splunk. Can I keep the domain admins out of Splunk if I have LDAP authentication???
Helow Jonathan,
Glad to have another Splunker. I've been useing Splunk for 2 years and am hooked. I leared how to spell splunk and | transaction too. you'll learn that one soon.
Go over to Splunk…
Holy Batskins Ninja, zzzzzwap zgruppp kapow a hidden stash, how great is that!!!!
The team that found them must have special bat senses and highly tooned Splunking skills
I like to wear Extra Lovable…
Feb 7
Learning, learning, learning . . . Our Splunk "expert" is gone, and the non-programmer gets to learn the task! How do you spell SPLUNK?
i all
i'm going crazy to extract field from mysql access log.this is the example source:
<13>Nov 5 18:56:25 dnsinterno mysql: 091105 18:56:25 1 Connect UNKNOWN_MYSQL_US@localhost as anonymous on
<13>Nov 5 15:02:07 dnsinterno mysql: 091105 15:02:07 1 Connect UNKNOWN_MYSQL_US@localhost as anonymous on
i need to extract the username (root,prova,ola,test etc..) from this log but if extract from web console helper i can extract only: someuser after "Connect "and before "@"
or someuser after "user '" and before " ' "
after 2 day i arrive to this: (?i)(?P[^ ]*)@
extract all user name but for the user name after "user..." extract the single quote such as:
root
'root'
test
'test'
fabio
First... put this at the end of your search -- which will do the field extraction temporarily just for this search:
(you might have to add "username" as a selected field in the field picker.
Now, to persist it put something like this in your $SPLUNK_HOME/etc/system/local/props.conf: (between the brackets should be a host, source, or sourcetype).
Save props.conf. Get rid of the "rex" stuff from the first line of my message, and then pipe your search to " | extract reload=t" to force re-read of configs and you should get this:
Thanks Fabio... do me a favor. Spread the word that his is a good place to learn and get hard questions answered. The more of us, the better we will be.