About eholz1

eholz1 · ‎08-12-2025

To all that responded to my post, "Thank you So Much" It has been a while since I have looked into using Dashboard Studio (like 3+ years!) and the solutions posted here are excellent and very helpful to me. Thanks Again, eholz1 - a little smarter now!

eholz1 · ‎08-11-2025

Hello All, Thanks for the help this forum provides. I have a table in dashboard studio. I can set the backgrould color for the header. I would like to be able to change the color of the text in the table header without using the dark mode which sets text color in the header to white (and the table rows too). I would like to have the text color in my header to be white (or some other color) when the dashboard is set to the "light mode". It there a way to do this? Thanks, Eholz1

eholz1 · ‎07-28-2025

Hello PickleRick, I now know what you mean, the demo link using "| makeresults" fails. Lucky for me the html I use seems OK, and I do get the display of the table and the data iin the html code/file, thanks for the TIP. @eholz1

eholz1 · ‎07-28-2025

Hello There Ultra Champ, Thanks for quick response. I will take a look at the process. Thanks again, @eholz1

eholz1 · ‎07-28-2025

Hello Splunkers! I am using HEC to send an html file to splunk. The received event contains the html lines of code. The html is a table with some data, and forms a table with the data. Is there a way, or how can I create a dashboard from the html text that shows the table? Maybe another way to say this is: How can I extract the html code from the hec event, and display same on a dashboard? Thank You So Much, E Holz

eholz1 · ‎06-12-2024

Hello deepakc, Thank you very much for this information. This forum is great. Kudos to you for helping me understanding the "internals" of Splunk, eholz1

eholz1 · ‎06-11-2024

Hello All, Perhaps I have the 64K $ question. I am trying to understand (better) the IOWAIT warnings and errors. The yellow and red icons, etc. I know that IOWAIT can be an issue, and only on Linux based servers. I will guess that running Splunk Enterprise on a virtual linux machine makes things harder. I have revised the Health Report Managaer settings per a Splunk forum posting, and the issue is resolved for the most part. I can run an "unreasonable" search and get the warining icon, and then as the search progresses, the red error icon. I have run some linux commands like iostat, and iotop while the search is running but do not see any useful data. I am just curious how Splunk determines the IOWAIT values as part of the health monitoring. I was also wondering if I reset the healh repoting values back to the default, how I might go about reducing the "IOWAIT" characteristic on the Splunk server. Thanks for any hints or tips ewholz

eholz1 · ‎06-10-2024

How can I use this app? I have it installed, but configuration I do not understand how to set this up Thanks, ewholz

eholz1 · ‎06-10-2024

Hello and Thanks, It looks like this app, desires to store data in some sort of "cloud" based storage. Is this correct? The data I have cannot be anywhere but on a private LAN. I am not sure how to use this app, is there a posting or source of instructions on how to use this SplukBase app? Thanks for the reply, ewholz

eholz1 · ‎06-06-2024

OK, thanks so much, I will review the information you provided. Since our Splunk Enterprise instance is running on a virtual machine - the info you provided could be the issue. Splunk internals are tricky, I will check things over. Thanks Again, EWHOLZ

eholz1 · ‎06-06-2024

thanks, will check

eholz1 · ‎06-05-2024

Hello All, The question is is IOWAIT mean anything? I am in the process of upgrading Splunk 8.2.12 to 9.1.2, and then 9.2.1. I have not yet upgraded to 9.1.2. The Health Report is set at default settings i.e. 3, etc.I have tried the suggestion of doubling threshold vales, but eventually get a Warning yellow, or sometimes red, etc. I am running Splunk Enterprise 8.2.12 on an Oracle Linux (ver 7.9) with 12 cpu and 64GB memory. Do these settings have any benefit for the IOWAIT thresholds? I see where I can disable IOWAIT - or does it make any sense to try to generate some sort if Diag, which has a link when opeing the "Health Report Manager" Any info here? Am I missing something? Thanks as always for a very helpful Splunk community. EWHOLZ I

eholz1 · ‎06-04-2024

Thanks again for the info and clarification ewholz

eholz1 · ‎06-03-2024

This has not worked for me, any ideas? here is my SSLconfig line in server.conf [sslConfig] sslPassword = $7$IVRDJa9zz5Rmt3ZehltRkIK2vnYpOPiMSSAZMNAUqdQ7hQAGf2GNXg No other lines in the file. I am open to suggestions, and get this as well: WARNING: Server Certificate Hostname Validation is disabled., see server.conf, etc Thanks, EWHolzx

eholz1 · ‎06-03-2024

Hello, and Thanks for tip. I will look into getting TLS set and/or a new cert - the cert will need to be self-signed. Splunk was re-started after each upgrade. I am not familiar with the acronym of "SHC" -Thanks for the info. ewholz

eholz1 · ‎05-31-2024

Hello All, I have searched high and low to try to discover why the kvstore process will not start. This system was upgraded from Splunk 8.0, to 8.2, and finally 9.2.1. I have looked in mongod.log and splunkd.log, but do not really see any thing that helps resolve the issue. Is ssl required for this? the - is there a way to set a correct ssl config, or disable it in the server.conf file? Would the failure of the KVstore process affect IOWAIT? I am running on Oracle Linux, ver 7.9 - I am open to any suggestions. Thanks ewholz

eholz1 · ‎05-16-2024

Hello, Thanks for the reply. It works, sort of... The "dark" theme truns everything dark. It was my hope to have just the Apps panel be dark. I will guess the new version of Splunk over-writes a css file for the web interface. I have an older version of Splunk running, I will see if I can find the css file. Thanks again for the reply. Eric W.

eholz1 · ‎05-15-2024

Hello All, I have just upgraded Splunk ver 9.0.1 to 9.2.1. I have one question: the "Apps" panel on the left side of the window has a "white" background. Version 9.0.1 and older had a "dark" or "black" backgrould (my preferred view). Is there a way to set the background for the Apps panel to dark or black? Thanks, Eric W.

eholz1 · ‎01-16-2024

Hello There, I have installed Splunk DB Connect and all its requirements on ver 9.0 This works pretty well for queries either in Search or in SQL Exploereer. I want to use a stored procedure to return data using DB Connect. The procedure works fine in SQL Exploereer, and from the MySQL commang line. If I try to call the procedure from Splunk Search - I get no results I am using this format: dbxquery connection=myconn procedure="{call my_nice_proc(@val);}" this should return a text string, or a table of results if the query/procedure retuns 1 or more rows.. Any ideas on what I am missing? thanks, eholz1

eholz1 · ‎12-20-2023

dtbur;rows3 Wow, fast reply. Thanks. The ID gets set when the csv file is written. I have a python program that queries a MySQL database, and writes a "0" as ID if no results are returned from the query. If there is data returned, the ID is taken from query results (i.e ID=34, etc). The csv file is on a remote server. I use the Splunk Universal Forwarder to send the file to splunk. Is there a way to get this file set as an "input lookup" or does the "input lookupo" required the file to be local to the Splunk server? Thanks for quick help. EWHolz

eholz1 · ‎12-20-2023

Hello All, I have a search question. I have a csv file that returnds data. the ID field if there is no data - I want to have a table which shows 4 columns: NAME,STATUS,DATE,ACTION. These come from the csv file header line. If the ID >0 I want to show these columns: DATE-Changed,ID,NAME,DATE_DOWN,ACTION. I have not yet seen how I might do this. What I need, in a sense, it two searches, one when ID=0, and one when ID>0. Any suggestions? Thanks, EWHOLZ

eholz1 · ‎12-20-2023

Hello Members and richgallowy, Thanks for the tip. It has been a while since I have needed to apply my limited "Splunk" skills, I appreciate this suggestion, and will try it out;. Regards, EWHolz

eholz1 · ‎12-19-2023

Hello, I need some help. Icreate a csv file on remote server from a mysql quert. I forward the csv file from the remote server to splunk. I can read the data. The csv file is over written each day, it have have only 1 line of data, or multiple lines of data - it is a list of device that have gon down. If no devices are down, the the file only has the hearder, and data that says: :No Devices Down:" I only want to see data from the file on the day the file is writtern. The challenge I have is to read only the data in the file for that day. The issue is that splunk indexes the data, so splunk retains the data over time, like I want only 1 day info from the file, but splunk has all the data indexed How can I return only the data for the day, not for all data in splunk indes? thanks, EWHolz

eholz1 · ‎12-05-2023

Hello Members, I would like to import/show data in a splunk dashboard. This data is results from a mysql query run by php to create an html page with the results in an html table. Most likely the easiest way to do this would be to write the data to a csv file, and use splunk forwarder to send the data to splunk. The data needs to be checked once a day. I was wondering if there is a way to build a dashboard from the data via the splunk REST api, or import/forward the html page that get created from the mysql query. The query is run on a remote server. I looked at the splunk-sdk-python but its implementation is not user friendly - it requires docker, which I cannot get running for some reason. I am open to any and all suggestions. thanks eholz

eholz1 · ‎09-06-2023

Hello All, I am using maps+ with some success. I have one question, is there a way to zoom back to a set zoom point (like 3 or 4) after a default zoom in on a cluster? I am using maps+ to show up or down network devices. The cluster shows, say 2 devices at a given lat/log, zooms in quite a lot. I am using a map of the US, more or less centered in the window., but after the zoom-in, I have to backout using the "-" icon. It would be nice if maps+ had the zoom bck feature of the legacy map using geostats, etc. Thanks eholz1

Posts	157
Solutions	2
Karma Given	59
Karma Received	6
Member Since	‎03-25-2019

Online Status	Offline
Date Last Visited	‎08-12-2025 08:23 AM

Set color in table header with dashboard

Display received html file on dashboard

Splunk Enterprise - how does it detect IOWAIT warn...

Configure and Use Enterprise Security Configuratio...

IOWAIT Mystery - What is it? Is it important?

KVStore process will not start

Apps panel, left side of window - Splunk ver 9.2.1

Stored procedure fails to run Splunk DB connect

Change table columns based on field value

Challenge with splunk forwarder and csv file

Re: Set color in table header with dashboard

Set color in table header with dashboard

Re: Display received html file on dashboard

Re: Display received html file on dashboard

Display received html file on dashboard

Re: Splunk Enterprise - how does it detect IOWAIT ...

Splunk Enterprise - how does it detect IOWAIT warn...

Configure and Use Enterprise Security Configuratio...

Re: IOWAIT Mystery - What is it? Is it important?

Re: IOWAIT Mystery - What is it? Is it important?

Re: IOWAIT Mystery - What is it? Is it important?

IOWAIT Mystery - What is it? Is it important?

Re: KVStore process will not start

Re: kvstore certificate renewal is not working...

Re: KVStore process will not start

KVStore process will not start

Re: Apps panel, left side of window - Splunk ver 9...

Apps panel, left side of window - Splunk ver 9.2.1

Stored procedure fails to run Splunk DB connect

Re: Change table columns based on field value

Change table columns based on field value

Re: Challenge with splunk forwarder and csv file

Challenge with splunk forwarder and csv file

Suggestions Please: REST Api, csv,html

Zoom back or out using maps+

Are you a member of the Splunk Community?