All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Want to increase font size for these two lines and thats it. <html> <div class="dashboard-row"> <div class="dashboard-panel" style="border-left: 6px solid #f57c00; padding:10px; wid... See more...
Want to increase font size for these two lines and thats it. <html> <div class="dashboard-row"> <div class="dashboard-panel" style="border-left: 6px solid #f57c00; padding:10px; width:90%; box-shadow: 0 2px 6px rgba(255, 255, 255, 0.1); border-radius: 6px;"> <h3 class="text-warning" style="display: flex; align-items: center; margin-bottom: 8px; color:#f57c00;"> <span style="font-size: 32px; margin-right: 12px;">⚠️</span> Important Notice </h3> <p class="text-muted"> Avoid running the dashboard for long date ranges <strong>(Last 30 days)</strong> unless strictly needed – it may impact performance. Use shorter ranges for faster results. </p> <p class="text-muted"> Please ensure an <strong>Index Name</strong> is selected - this is required to load dashboard data. </p> </div> </div> </html>
@livehybrid I am not using SVG I am using the first XML you given...
@Dolly  Refer the below link.  Solved: Postgresql on Splunk Enterprise - Splunk Community
Why do we find postgres in /apps/splunk/splunkforwarder/quarantined_files/bin/postgres even if we have upgraded to 9.4.3. Splunk must have moved this? If yes why?  
I want to show the tab with the water mark in splunk configuration page , how to achive it.
For example i want to show the error link as below   <a href="https://example.com/error-details" target="_blank" rel="noopener noreferrer">View Error Details</a>
Hello @spamarea1 , If the server on which you are building the TA is not indexing locally, it will show 0 events only. If the server is acting as an indexer or is indexing locally, then only it'll s... See more...
Hello @spamarea1 , If the server on which you are building the TA is not indexing locally, it will show 0 events only. If the server is acting as an indexer or is indexing locally, then only it'll show the events count. Hence, if you want to search the data, you'll have to log on to Search Head and search against the index to view the events.  Let me know if you were still not able to understand the concept. Thanks, Tejas. --- If the above solution helps, an upvote is appreciated..!!
@splunklearner  This thread is getting harder to follow now.  If you want to highlight important notice part, i have updated the xml. <form version="1.1" theme="dark"> <label>Dashboard</label> ... See more...
@splunklearner  This thread is getting harder to follow now.  If you want to highlight important notice part, i have updated the xml. <form version="1.1" theme="dark"> <label>Dashboard</label> <fieldset submitButton="true" autoRun="false"> <html> <style> @keyframes glowPulse { 0% { box-shadow: 0 0 10px #f57c00; } 50% { box-shadow: 0 0 20px #f57c00; } 100% { box-shadow: 0 0 10px #f57c00; } } @keyframes bounceIn { 0% { transform: scale(0.5); opacity: 0; } 60% { transform: scale(1.2); opacity: 1; } 100% { transform: scale(1); } } .warning-panel { animation: glowPulse 3s ease-in-out infinite; transition: box-shadow 0.3s ease; } .warning-panel:hover { box-shadow: 0 0 25px #ffa726; } .warningIcon { animation: bounceIn 0.8s ease-out; } </style> <div class="dashboard-row"> <div class="dashboard-panel warning-panel" style="border-left: 6px solid #f57c00; padding:10px; width:90%; border-radius: 6px;"> <h3 class="text-warning" style="display: flex; align-items: center; margin-bottom: 8px; color:#f57c00;"> <span style="font-size: 32px; margin-right: 12px;"> <svg class="warningIcon" focusable="false" height="1.3em" width="1em" viewBox="0 0 1500 1313" xmlns="http://www.w3.org/2000/svg"> <title>Warning</title> <path style="fill:currentColor;" d="M.956 1196.326l668.58-1144.89C689.395 17.736 718.71 0 749.916 0c31.207 0 59.577 15.963 80.382 51.436l668.58 1144.89c7.565 12.416-23.642 116.174-77.544 116.174H85.474c-53.902 0-92.083-102.872-84.518-116.174zm643.333-684.743l32.146 257.167c4.908 39.264 34.086 74.685 69.815 91.187 36.612-16.018 64.87-50.826 69.914-91.187l32.146-257.167C855.18 456.623 815.582 411 759.7 411h-26.8c-55.908 0-95.555 45.033-88.61 100.583zm101.294 644.209c63.283 0 114.584-51.301 114.584-114.584 0-63.282-51.301-114.583-114.584-114.583-63.282 0-114.583 51.3-114.583 114.583s51.3 114.584 114.583 114.584z"></path> </svg> </span> Important Notice </h3> <p class="text-muted" style="font-size: 16px;"> Avoid long date ranges like <strong>Last 30 days</strong> to avoid performance bottlenecks. </p> <p class="text-muted" style="font-size: 16px;"> Please ensure an <strong>Index</strong> is selected before running this dashboard. </p> </div> </div> </html> <input type="dropdown" token="field1"> <label>Index</label> <choice value="_internal">_internal</choice> </input> <input type="dropdown" token="field2"> <label>Something else</label> <choice value="*">*</choice> </input> </fieldset> <row> <panel> <table> <search> <query>|tstats count where index=_internal by host</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </table> </panel> </row> </form>  
Hi @Keigo  The hardware specs for a Splunk UF are Dual-core 1.5GHz+ processor, 1GB+ RAM which you are sufficiently covering here, and there arent specific requirements for higher hardware specs when... See more...
Hi @Keigo  The hardware specs for a Splunk UF are Dual-core 1.5GHz+ processor, 1GB+ RAM which you are sufficiently covering here, and there arent specific requirements for higher hardware specs when using the Linux Add-on. In relation to your other 3 questions, lshw collects deep hardware information which is inherently compute-heavy and thus will cause a bit of a spike on lower resourced systems which might go un-noticed on higher spec'd servers. My main question is, are you using the information that this provides, and if so does it need to be run at a regular interval? Like @PrewinThomas said, you could reduce the frequency but you will ultimately still see the spike when it does run, but I would double check that the data is actually being used (often I see users enable a bunch of Linux TA inputs which go unused!). If you do use it then reducing the frequency is the only option.   Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi @splunklearner  Do you have a mock-up of how you want this to look? The issue with setting manual colours is that when you switch to light mode the colours will not adapt, using the current appro... See more...
Hi @splunklearner  Do you have a mock-up of how you want this to look? The issue with setting manual colours is that when you switch to light mode the colours will not adapt, using the current approach the CSS used is relative to the theme mode selected as we are piggybacking the theme's specific colours.  If you can show me what you have in mind then I can try and adapt    Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi @Saran  Great, Im glad you solved it   Regarding the http-input prefix, I believe this connects to a loadbalancer for a production instances (which would general comprise of multiple indexers)... See more...
Hi @Saran  Great, Im glad you solved it   Regarding the http-input prefix, I believe this connects to a loadbalancer for a production instances (which would general comprise of multiple indexers) whereas a trial instance is likely a single all-in-one Splunk Cloud deployment and therefore doesnt require a loadbalancer for the HEC traffic. In a production environment you would add the http-input- prefix and drop the 8088 port (and use 443).  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
It was a Proxy issue, I have resolved it. But I don't understand when to add "http-input" as the prefix to the instance. Could you please explain the difference between the Splunk Cloud trial inst... See more...
It was a Proxy issue, I have resolved it. But I don't understand when to add "http-input" as the prefix to the instance. Could you please explain the difference between the Splunk Cloud trial instance and production instance? Thank you
and can we have any eye catchy background for dark mode? if possible.
Can we please increase the font size of that two lines below imp notice and we are good to go. Thanks for your help. @livehybrid 
Hi @PickleRick  Thank you for your response. We are a third-party patch provider, similar to solutions like PatchMyPC or ManageEngine, offering automated patching services to our customers. As part... See more...
Hi @PickleRick  Thank you for your response. We are a third-party patch provider, similar to solutions like PatchMyPC or ManageEngine, offering automated patching services to our customers. As part of our process, we routinely test each new release to ensure compatibility and stability across supported environments. For more details, please have a look at Autonomous Patching for Every Third-Party Windows App (adaptiva.com) (https://adaptiva.com/products/autonomous-patch)  
@ASEP  If your Remedy server is configured with HTTPS using a self signed certificate, follow the below steps. -Download the root CA certificate used in your Remedy deployment. -Copy the contents ... See more...
@ASEP  If your Remedy server is configured with HTTPS using a self signed certificate, follow the below steps. -Download the root CA certificate used in your Remedy deployment. -Copy the contents of the new certificate. -Navigate to $SPLUNK_HOME/etc/apps/Splunk_TA_remedy. -Create a new <certs_file>.pem file and add the content of the new certificate. Append the new certificate  content if the file is already present. -Open the local/splunk_ta_remedy_settings.conf file in a text editor, create a new one if not present. -Add the ca_certs_path parameter value as below: [additional_parameters] ca_certs_path=/opt/splunk/etc/apps/Splunk_TA_remedy/custom_ca_certs.pem # <absolute path to the <certs_file>.pem file> -Save your changes. -Restart your Splunk instance. Refer this doc #https://docs.splunk.com/Documentation/AddOns/released/Remedy/Configure Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!
@Keigo  Normally production environments use 2–4 vCPUs and 4–8GB RAM to provide enough headroom, but it depends on your server roles/usage... Ways to Reduce CPU Load -You can modify inputs.conf to... See more...
@Keigo  Normally production environments use 2–4 vCPUs and 4–8GB RAM to provide enough headroom, but it depends on your server roles/usage... Ways to Reduce CPU Load -You can modify inputs.conf to increase the interval for hardware.sh or disable it entirely if hardware inventory isn’t critical -Run/Schedule scripts during off-peak hours -Exclude unnecessary scripts (set disabled = 1 for any stanza you don’t need) in inputs.conf -If you need continuous performance data, CollectD is more efficient i would say and integrates well with Splunk. Ref#https://docs.splunk.com/Documentation/AddOns/released/Linux/Hardwareandsoftwarerequirements Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!
We are running Splunk Universal Forwarder on a virtual machine and using the Splunk Add-on for Unix and Linux. The VM is configured with 2 vCPUs and 4GB of RAM. During metric collection, it appears... See more...
We are running Splunk Universal Forwarder on a virtual machine and using the Splunk Add-on for Unix and Linux. The VM is configured with 2 vCPUs and 4GB of RAM. During metric collection, it appears that the hardware.sh script executes the lshw command, which causes a temporary CPU spike of around 20–40%. Since these scripts run periodically, this behavior may impact performance, especially on resource-constrained VMs. I would appreciate any insights or experiences regarding the following: ・Recommended VM specifications for running the Linux Add-On ・Ways to reduce CPU load caused by lshw or other scripts ・Is this kind of CPU spike expected behavior for the Add-On? ・Any operational tips or configuration examples to mitigate the impact Thanks in advance for your help!
If the solution works, please mark it as a solution, so others can benefit.  
Hi @ASEP  follow the below steps and let me know if you are facing any issues. 1. Export the Remedy SSL certificate from the Remedy server using the command: echo -n | openssl s_client -connect <r... See more...
Hi @ASEP  follow the below steps and let me know if you are facing any issues. 1. Export the Remedy SSL certificate from the Remedy server using the command: echo -n | openssl s_client -connect <remedy_host>:<port> | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > remedy_cert.pem 2.Add the certificate to Splunk’s trusted CA bundle: cat remedy_cert.pem >> /etc/ssl/certs/ca-bundle.crt Note: take a backup before appending  3. Restart Splunk