Usually, you’ll use the Splunk Operator to run Splunk on K8S. There are some use cases where you might want to run Splunk without the operator though. As with any deployment, it’s good practice then to add liveness probes to restart Splunk if it’s not healthy anymore. Furthermore, as the Splunk container needs about one minute to startup, I’ll recommend adding a readiness probe. This ensures that no traffic is sent to a pod as long as Splunk hasn’t been fully started yet....

If you’re running saved searches in Splunk as subsearches inside of the map command, they are bound by the subsearch limitation. This is an alternative command that doesn’t have this limitation as it starts a new job for each subsearch. To use it, instead of calling: | makeresults | map test You’re using: | makeresults | mapsearch search=test Missing the full flexibility of map, the command also passes each event’s values as input parameters to each called saved search....

Wonder how to use the ISO8601 format in Splunk? Simplified extended ISO8601 is for example used in Javascript’s toISOString function. It’s a great way (readable and to timezone agnostic) to exchange timestamps between Splunk and Splunk Apps. Here’s how it’s done:

The configuration options in Splunk to customize the login page are not sufficient? You want to use an arbitrary HTML page? This static login page can be used to customize the login experience for Splunk (Tested with Enterprise 8.2.3): To activate it, you have to copy this file to $SPLUNK_HOME/share/splunk/search_mrsparkle/exposed/login.html (it will be served by Splunk Web as a static file) and add the following entry to the settings stanza in the web....

For either using username or token authentication in Splunk, I wrote a small wrapper for the connect function. The advantage compared to the existing connect function is that you can use the same line of code for both authentication methods depending on the parameters that you pass (here shown by using ENV variables):