Here is indexing pipelines by HEC endpoints https://www.aplura.com/assets/pdf/hec_pipelines.pdf ... View more

As already said, you must call to support not only email to them. Also check if you have several entitlements that you have selected correct one. At least I have several entitlements and only some of those are "paid" and can use for creating cases. ... View more

You seem to have correct developer not dev/test license or trial. Only this 1st one support remote LM, those two didn't. ... View more

Have you check that those indexes are there and splunk is running there without issues? Basically if you have GUI enabled on IDX you can try query from there or use CLI and do queries on command line too. Check also if there is any issues with internal logs. You can query those from internal indexes like  index=_internal log_level IN (error, warn) ... View more

Hi It's like @livehybrid said. You cannot / shouldn't try this that way. Basically there are two options to do this depending how your data is collected and where it's created. In SCP side you can set Federated Search in your SCP and use it to access data from another SCP stack. See more https://docs.splunk.com/Documentation/SplunkCloud/9.3.2411/FederatedSearch/fsoptions. The second option is replicate data before you send it into SCP stack. E.g. you could set your own HFs where you can set this. r. Ismo ... View more

Can you tell more about what and how you have done this installation and what kind of distributed environment you have? Are the problematic node indexer, search head or something other node? ... View more

You should try to create suitable REGEX to match only those events. One other comment, never put comment # mark in middle of conf line! At least in some conf file splunk cannot recognize it as a comment and try to do something with it with unknown results. ... View more

Hoe you have defined line breaking? ... View more

In splunk _raw is only one line, but it can contains e.g. \n character. You could see it e.g. “table _raw” ... View more

You should rise a support ticket if you are paid customer otherwise create an idea for this in ideas.splunk.com. Community is not an official Splunk support forum and they don’t take and create cases by questions which are asked here. ... View more

I can also confirm that UF is working on my environment with several macOS 15.4 both intel and M3. But initial versions of those have been lower than 9.4 and then those are updated. ... View more

You must add all needed fields in stats command if you want those to be present after its execution. Use values(a) as a values(b) as b like there is already used. Here is one old post which explains who you should replace different joins in SPL. https://community.splunk.com/t5/Splunk-Search/What-is-the-relation-between-the-Splunk-inner-left-join-and-the/m-p/391288/thread-id/113948 ... View more

Even there is only one app there are also at least one serverclass and those 40 clients. Those serverclass(es) bind together clients and this app which contains outputs.conf. Usually you should have one app for defining general output target (indexers) and another which define ds instead of configuring this on installation gui. Over those there are usually many apps and serverclasses as @gcusello #alteady said. Here is one great conf presentation about DS https://conf.splunk.com/files/2024/slides/PLA1310C.pdf   ... View more

This splunk_server_group is e.g your defined additional group in MC setup like az_hec_test ... View more

Can you explain more detail level what you have in this splunk instance? Like it’s role, are there modular inputs, own SPL commands, amount of users, queries, DMA, other accelerations, daily data size etc ... View more

Here is instructions how todo it https://docs.splunk.com/Documentation/Splunk/9.4.1/Knowledge/Manageknowledgeobjectpermissions#Enable_a_role_other_than_admin_and_power_to_set_permissions_and_share_objects This is not a capability, instead of it, it’s needing a role which have write access to current app where dashboard is and also user must own this dashboard. Only users with admin role can share other people’s KOs. ... View more

Does this lantern article helps you? Watch also the video clip https://lantern.splunk.com/Splunk_Platform/Product_Tips/Data_Management/Using_ingest_actions_in_Splunk_Enterprise. Another example how to use it with pan logs https://lantern.splunk.com/Data_Descriptors/Palo_Alto_Networks/Using_ingest_actions_to_filter_Palo_Alto_logs. ... View more

I totally agree with @PickleRick you should disable your swap at least temporarily and after you have confirmed that everything is working and/or fix the root cause for swap usage then remove it permanently. When you have dedicated servers for splunk those should sized correctly to run your normal workload.  ... View more

You could also use site0 as site information instead of site1 or site2. Then it manages searches little bit differently than using exact site<#>. You found more information from those docs which are pointed to you. ... View more

Are you try to put it into _time field instead of timestamp? Then just modify @livehybrid INGEST_EVAL example to put that value into _time field instead of timestamp. Remember to remove json_set part also. ... View more

Basically you could use token with SSO user like SAML, but if I recall correctly there could be a situations when old SSO authentication cache/token/credential could vanish and then it needs that this user must login again via GUI to get it works again. If you are using token for user which are using GUI regularly probably this isn’t any real issue? But if you are adding token to any service user which are using only REST api then this could easily hit you. For that reason you should use local user in this kind of cases if your company policy allow it. ... View more

There are several ways to trim your data before indexing it into disk. The best option depends on your environment and which kind of data and use case you have. Traditional way is use props and transforms.conf files to do this. It works with all splunk environments, but it can be little bit challenging if you haven’t use it earlier! Here is link for documentation https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad There are lot of examples in community and other pages for that, just ask google to find those. Another option is use Edge Processor. It’s newer and probably easier to use and understand, but currently it needs a splunk cloud stack to manage configurations, even it can work independently on onprem too after configuration. Here is more about it https://docs.splunk.com/Documentation/SplunkCloud/9.3.2408/EdgeProcessor/FilterPipeline As I said currently only with SCP, but it’s coming also into onprem in future. Last on prem version is ingest actions which works both on prem an SCP too. https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/DataIngest And if you are in SCP and are ingesting there then last option is ingest processor. https://docs.splunk.com/Documentation/SplunkCloud/9.3.2411/IngestProcessor/FilterPipeline r. Ismo ... View more

As @PickleRick said many of us add those as an indexer into MC. I also add several additional custom groups to those. This helps me to avoid those false alerts and getting real status and statistics from indexers by selecting correct group on dashboards. There is idea on ideas.splunk.com to add own role for HF in MC. https://ideas.splunk.com/ideas/EID-I-73 This seems to be a future prospect, so maybe we finally get this into MC. Currently UFs don’t listen REST api by default from network. I haven’t tried to enable it and try to query those as I haven’t seen any benefits for it. You can see those enough well in forwarder management page. Another reason is that those doesn’t collect some introspection metrics by default and some cannot collect w/o adding separate TAs into those. ... View more