All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Dinesh Please create a support case for us to troubleshoot further- https://mycase.cloudapps.cisco.com/ 
Suresh I would suggest you to create a support case , so that someone from team can help you install it https://mycase.cloudapps.cisco.com/case
Why the DS shouldn't be a client of itself? any reasoning here?
Hi @danielbb  As @richgalloway said, you cant/shouldnt have the DS as a client to itself - You should deploy apps onto your DS under $SPLUNK_HOME/etc/apps in the same way you deploy to $SPLUNK_HOME/... See more...
Hi @danielbb  As @richgalloway said, you cant/shouldnt have the DS as a client to itself - You should deploy apps onto your DS under $SPLUNK_HOME/etc/apps in the same way you deploy to $SPLUNK_HOME/etc/deployment_apps  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Further to my other reply, if you just want to truncate you could use substr() function: | eval url_chunked=substr(url_full,0,50)."..."   Full example: | makeresults count=1 | eval SomeField=... See more...
Further to my other reply, if you just want to truncate you could use substr() function: | eval url_chunked=substr(url_full,0,50)."..."   Full example: | makeresults count=1 | eval SomeField="Some Value" | eval host="web-server-001" | eval url_full="https://example.com/a/very/long/path/that/goes/on/and/on/and/on/until/it/reaches_the/really/really/far/end/adding/more/segments/to/demonstrate/excessive/length/in/this/uri/string/exceeding/every/reasonable/limit/for/display/in/default/table/view" | eval url_chunked=substr(url_full,0,50)."..." | fields - url_full  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi @NoSpaces  You can use a REX command with multiple match allowance/limit to chunk the url into the length required, this would then split it across multiple lines, would this help? | rex max_mat... See more...
Hi @NoSpaces  You can use a REX command with multiple match allowance/limit to chunk the url into the length required, this would then split it across multiple lines, would this help? | rex max_match=100 field=url_full "(?<url_chunked>[\S]{1,50})" Full example: | makeresults count=1 | eval SomeField="Some Value" | eval host="web-server-001" | eval url_full="https://example.com/a/very/long/path/that/goes/on/and/on/and/on/until/it/reaches_the/really/really/far/end/adding/more/segments/to/demonstrate/excessive/length/in/this/uri/string/exceeding/every/reasonable/limit/for/display/in/default/table/view" | rex max_match=100 field=url_full "(?<url_chunked>[\S]{1,50})" | fields - url_full  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hello everyone! I'm trying to create a table view of IIS logs. The main issue I've encountered is some very long URL fields. In similar situations elsewhere, I've seen interactive "URL wrapping" —... See more...
Hello everyone! I'm trying to create a table view of IIS logs. The main issue I've encountered is some very long URL fields. In similar situations elsewhere, I've seen interactive "URL wrapping" — like clicking or hovering to reveal the full link. But Splunk's table view doesn't seem to offer anything like that. How can I handle this?
Hi @TestUser  There used to be a placeholder configuration in UCC but unfortunately it was deprecated (https://splunk.github.io/addonfactory-ucc-generator/advanced/oauth_support/#properties:~:text=T... See more...
Hi @TestUser  There used to be a placeholder configuration in UCC but unfortunately it was deprecated (https://splunk.github.io/addonfactory-ucc-generator/advanced/oauth_support/#properties:~:text=The%20Placeholder%20attribute%20is%20deprecated%20and%20renounced.%20Instead%2C%20we%20recommend%20to%20use%20the%20%E2%80%9Chelp%E2%80%9D%20attribute.) which I was personally a bit frustrated by, but anyway, the alternative recommendation from the engineering team is to use the 'help' configuration such as: { "field": "name", "label": "Name", "type": "text", "required": true, "help": "Enter a name..", }, This will appear *under* the text box, but its better than nothing! #bringBackPlaceholder  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
A Deployment Server cannot be a client of itself.  Any apps the DS needs should be installed manually.
Hi @Dolly  postgres was incorrectly included in some 9.4.x UF builds, therefore if you are upgrading from one of these builds then the UF will "quarantine" the postgres binary as its not required/ex... See more...
Hi @Dolly  postgres was incorrectly included in some 9.4.x UF builds, therefore if you are upgrading from one of these builds then the UF will "quarantine" the postgres binary as its not required/expected in the UF bin directory.  You can safely remove the postgres binary from within the quarantine directory as it is not needed.   Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
I have two DSs that fail to deploy the TA_nix to themselves, how is it normally done? meaning how does the deployment server deploy to itself?
I want to show it in the configuration page tab, where im getting the date format as the input, where i need to show the example format of date input in the tab. Thanks
Hi @Dolly , Splunk recently (especially in newer 9.x versions) introduced mechanisms to quarantine suspicious or unexpected binaries during startup or upgrade. As part of App Integrity Checking o... See more...
Hi @Dolly , Splunk recently (especially in newer 9.x versions) introduced mechanisms to quarantine suspicious or unexpected binaries during startup or upgrade. As part of App Integrity Checking or Quarantine subsystem, it moved that binary out of active paths into quarantined_files for security reasons. During an upgrade, Splunk validates installed apps and files. If it finds unexpected binaries (especially those with execution permissions or high-risk names like postgres, bash, sh), it moves them to quarantined_files/ to prevent unintended execution.    
Hello @km, I don't think there's any need for resolving the #Concern 1 using web.conf and point the management port of the search head. Since the TA is not functioning as of now, I would suggest to ... See more...
Hello @km, I don't think there's any need for resolving the #Concern 1 using web.conf and point the management port of the search head. Since the TA is not functioning as of now, I would suggest to uninstall the TA from HF and directly hit the server/info endpoint on the HF itself. Does that result into 200? If not, there's your problem and there can be different reasons for not getting successful connection. Maybe your splunkd process is terminated and in dangling situation or maybe different other reasons.  Please check the local connection first after reverting the web.conf change and let us know the output and we can troubleshoot further. Thanks, Tejas.
@TestUser  Would you like to display a highlighted watermark on your dashboard? for example, a label with the highlighted format placed before the input field? Regards, Prewin Splunk Enthusiast... See more...
@TestUser  Would you like to display a highlighted watermark on your dashboard? for example, a label with the highlighted format placed before the input field? Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!
Thanks @livehybrid and @PrewinThomas for your help throughout. I want to select two solutions but not feasible. Upcoming stars... Kudos 
Sorry, this didn't help me in understanding Why do we find postgres in /apps/splunk/splunkforwarder/quarantined_files/bin/postgres even if we have upgraded to 9.4.3?  
@splunklearner  <html> <div class="dashboard-row"> <div class="dashboard-panel" style="border-left: 6px solid #f57c00; padding:10px; width:90%; box-shadow: 0 2px 6px rgba(255, 255, 255, 0.1); ... See more...
@splunklearner  <html> <div class="dashboard-row"> <div class="dashboard-panel" style="border-left: 6px solid #f57c00; padding:10px; width:90%; box-shadow: 0 2px 6px rgba(255, 255, 255, 0.1); border-radius: 6px;"> <h3 class="text-warning" style="display: flex; align-items: center; margin-bottom: 8px; color:#f57c00;"> <span style="font-size: 32px; margin-right: 12px;">⚠️</span> Important Notice </h3> <p class="text-muted" style="font-size: 16px;"> Avoid running the dashboard for long date ranges <strong>(Last 30 days)</strong> unless strictly needed – it may impact performance. Use shorter ranges for faster results. </p> <p class="text-muted" style="font-size: 16px;"> Please ensure an <strong>Index Name</strong> is selected - this is required to load dashboard data. </p> </div> </div> </html>
Want to increase font size for these two lines and thats it. <html> <div class="dashboard-row"> <div class="dashboard-panel" style="border-left: 6px solid #f57c00; padding:10px; wid... See more...
Want to increase font size for these two lines and thats it. <html> <div class="dashboard-row"> <div class="dashboard-panel" style="border-left: 6px solid #f57c00; padding:10px; width:90%; box-shadow: 0 2px 6px rgba(255, 255, 255, 0.1); border-radius: 6px;"> <h3 class="text-warning" style="display: flex; align-items: center; margin-bottom: 8px; color:#f57c00;"> <span style="font-size: 32px; margin-right: 12px;">⚠️</span> Important Notice </h3> <p class="text-muted"> Avoid running the dashboard for long date ranges <strong>(Last 30 days)</strong> unless strictly needed – it may impact performance. Use shorter ranges for faster results. </p> <p class="text-muted"> Please ensure an <strong>Index Name</strong> is selected - this is required to load dashboard data. </p> </div> </div> </html>
@livehybrid I am not using SVG I am using the first XML you given...