Hi @Marcie.Sirbaugh, I see you have an open ticket with the same error you asked Sajo about  agentregistrationmodule.go:352 Perhaps you can continue to share any outcomes from that interaction with your ticket here with Sajo.

Hello @493600, There is no OOTB of achieving this. Usually, we have to download the events in _raw format, upload it on a test environment which has latest version of TA along with CIM Validator installed - and validate the field extraction. Commands like fieldsummary can help in comparing the field name and values - https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Fieldsummary   Please accept the solution and hit Karma, if this helps!

I left the Frozen drive to point to $SPLUNK_DB on the indexer's drive, but I'm not trying to employ frozen buckets at all. I'm trying to use the volumes on external drives for hot and cold, that's how our current instance is set up. The difference being the current is on Windows, and this new one is going to be on RHEL8.

@yuanliu , yes i tried the below query, but i getting 0 results index=test-index (data loaded) OR ("GET data published/data/ui" OR "GET /v8/wi/data/*" OR "GET data/ui/wi/load/success") | rex field=DATA mode=sed "s/ *[\|}\]]/\"/g s/: *\[*/=\"/g" | rename DATA AS _raw | kv |search ACTION= start OR ACTION=done NOT SERVICE="null" |eval split=SERVICE.":".ACTION |timechart span=1d count by split |eval _time=strftime(_time, "%d/%m/%Y") | table _time *START *DONE

these are all static, I was given a .pptx file and asked to find certain events, that wouldn't be a problem if the data was in plaintext, the instance is running on my machine so no TSL is involved, correct me if I'm wrong, is there anything I can do to actually use this data? without having to decode to binary and then ascii manually

You appear to have a hex dump of binary data.  Decoding the hex will give you the original binary, but Splunk doesn't support binary data. I've seen similar-looking input when an encrypted input stream is not decrypted before being indexed.  Double-check the TLS/SSL settings.

This is exactly what I speculated in your previous question: that your developers have left a compliant JSON, while having some structure within DATA field.  Instead of rex individual elements as if DATA is made of random text, you should utilize the structure your developers intended.  Have you tried my suggestion yesterday?   index=test-index (data loaded) OR ("GET data published/data/ui" OR "GET /v8/wi/data/*" OR "GET data/ui/wi/load/success") | rex field=DATA mode=sed "s/ *[\|}\]]/\"/g s/: *\[*/=\"/g" | rename DATA AS _raw | kv |search ACTION= start OR ACTION=done NOT SERVICE="null" |eval split=SERVICE.":".ACTION |timechart span=1d count by split |eval _time=strftime(_time, "%d/%m/%Y") | table _time *START *DONE   (Since you are running timechart, there is no need to preserver _raw, so I omitted that.  I also don't see how your last table command could give you the result you illustrated because START and DONE are capitalized.) Your sample data (only one event) gives _time AAP:START 01/02/2022 1 11/04/2024 0 This is the data emulation including _time conversion   | makeresults | eval _raw = "{\"date\": \"1/2/2022 00:12:22,124\", \"DATA\": \"[http:nio-12567-exec-44] DIP: [675478-7655a-56778d-655de45565] Data: [7665-56767ed-5454656] MIM: [483748348-632637f-38648266257d] FLOW: [NEW] { SERVICE: AAP | Applicationid: iis-675456 | ACTION: START | REQ: GET data published/data/ui } DADTA -:TIME:<TIMESTAMP> (0) 1712721546785 to 1712721546885 ms GET /v8/wi/data/*, GET data/ui/wi/load/success\", \"tags\": {\"host\": \"GTU5656\", \"insuranceid\": \"8786578896667\", \"lib\": \"app\"}}" | spath | eval _time = strptime(date, "%d/%m/%Y %H:%M:%S,%f") ``` the above emulates index=test-index (data loaded) OR ("GET data published/data/ui" OR "GET /v8/wi/data/*" OR "GET data/ui/wi/load/success") ```   Play with it and compare to real data.  If this doesn't work for select events, you need to post samples of those events.