Hi Team, For some VMs, we need to install and configure the Splunk Universal Forwarder using Terraform since backend access is unavailable, and all actions must be automated. Typically, we follow the Splunk documentation to install the credentials package on client machines: [Install the forwarder credentials on individual forwarders in *nix](https://docs.splunk.com/Documentation/Forwarder/9.1.0/Forwarder/ConfigSCUFCredentials#Install_the_forwarder_credentials_on_individual_forwarders_in_.2Anix). We use the following command to install the credentials package: $SPLUNK_HOME/bin/splunk install app /tmp/splunkclouduf.spl After executing this command, it prompts for a username and password. Once the credentials are provided, the package is installed, and after restarting the Splunk services, the internal logs from the client begin flowing (provided the relevant ports are open). Current Challenge: Since we are automating the deployment of the credentials package app via Terraform, we require a single command that: 1. Installs the credentials app. 2. Includes the username and password directly in the command. 3. Automatically restarts the Splunk services after installation. This will enable us to deploy the package via Terraform without manual intervention. As this involves a Linux machine, we need a command that can be executed in this environment. Could you kindly assist us in crafting this single automated command?     ... View more

Hi Team, We are planning to perform a silent installation of the Splunk Universal Forwarder on a Linux client machine. So far, we have created a splunk user on the client machine, downloaded the .tgz forwarder package, and extracted it to the /opt directory. Currently, the folder /opt/splunkforwarder is created, and its contents are accessible. I have navigated to the /opt/splunkforwarder/bin directory, and now I want to execute a single command to: Agree to the license without prompts, and Set the admin username and password. I found a reference for a similar approach in Windows, where the following command is used: msiexec.exe /i splunkforwarder_x64.msi AGREETOLICENSE=yes SPLUNKUSERNAME=SplunkAdmin SPLUNKPASSWORD=Ch@ng3d! /quiet However, I couldn't find a single equivalent command for Linux that accomplishes all these steps together. Could you please provide the exact command to achieve this on Linux?   ... View more

Hi All, Our current setup involves Splunk Search Heads hosted in Splunk Cloud and managed by Support. The existing Deployment Master server is hosted on Azure, where it has been operating smoothly, supporting around 900+ clients that send logs to Splunk through it. Now, we’re planning to migrate the Deployment Master from Azure to an on-premises Nutanix environment. We’ve built a new server on-premises with the necessary hardware specifications and are preparing to install the latest Splunk Enterprise package (version 9.3.1) downloaded from the Splunk website. We’ll place this package in the `/tmp` directory on the new server, extract it in the `/opt` directory, accept the license agreement, and start Splunk services. Once up, we’ll access the GUI to import the Enterprise licenses. Next, I’ll download the Splunk Universal Forwarder Credential package (Splunkclouduf app) from the Splunk Cloud Search Head. Could you confirm whether this downloaded app should be placed in the `/opt/splunk/etc/apps`, `/opt/splunk/etc/deployment-apps`, or `/tmp` directory on the new server? From there, we can proceed with the installation. Please confirm. Once installed, the Splunkclouduf app will create a `100_splunkcloud` folder in the `/opt/splunk/etc/apps` directory. Should I then copy the `100_splunkcloud` folder to the `/opt/splunk/etc/deployment-apps` directory? Also can we rename the folder name from "100_splunkcloud" to some custom name  Additionally, the next step will involve transferring all deployment apps from the `deployment-apps` directory on the old server (`/opt/splunk/etc/deployment-apps`) to the new server in the same location—please confirm if this is correct. Finally: - Update the `deploymentclient` app on both the old and new Deployment Master servers with the new server name. - Reload the server class on the old Deployment Master server. - Verify that all clients are reporting to the new Deployment Master server.   Want to get it clarified whether these steps are correct or if i missed out anything kindly let me know. So that my new DM server should be running fine post migration. ... View more

Hi Team, Our Splunk Search heads are hosted in Cloud and managed by Support and currently we are running with the latest version (9.1.2308.203).  This relates to the Max Lines configuration within the Format segment of the Search and Reporting App. Previously, Splunk defaulted to displaying 20 or more lines in search results within the Search and Reporting App. As an administrator responsible for extracting Splunk logs across various applications over the years, I never found the need to expand concise search results to read all lines. However, in recent weeks, perhaps following an upgrade of the Splunk Search heads, I've noticed that each time I open a new Splunk search window or the existing Splunk tab times out and auto-refreshes, the Format > Max Lines option resets to 5. As a result, I consistently have to adjust it after nearly every search, which has become cumbersome. Therefore, kindly provide guidance on changing the default value from 5 to 20 in the Search and Reporting App on Adhoc & ES Search heads. This adjustment would ease the inconvenience experienced by numerous customers and end-users who currently find it troublesome to customize it for each search.   The file is ui-prefs.conf, so I've filed a case with support to address this issue. Unfortunately, support wasn't able to make the necessary changes at the backend and suggested that I create a custom app and deploy it in the app upload section. Consequently, I created a custom app, deployed it, and it successfully passed the vetting process. Afterward, I restarted the Search head, but the changes didn't take effect. Upon reaching out to support again, they were unable to provide a solution for the issue. Therefore, I require assistance in resolving this matter. So refer the screenshot of the app which I have deployed for reference. Created a app as below: MaxLines_Values folder. Inside MaxLines_Value folder there would be default and metadata folder as mentioned in screenshot. So kindly help on the same.   ... View more

Hi Team,   We actually want to send AWS Guard Duty logs to Splunk Cloud so what is the procedure to get it achieved since earlier we had an option i.e. Amazon GuardDuty Add-on for Splunk (https://splunkbase.splunk.com/app/3790) which is currently archived so do we have any add-on or app to collect the events and onboard the logs to Splunk. So kindly help to check and update on the same.  ... View more