I also tried adding this to the below query but it still pickedup more users from the main query. While I only want it to take into account the users I am getting from sub query. |appendcols [ search index="a" eventName="xxx" ***other conditions here** |rename principal{} as User | where firstime > _time | where maxTime < _time | stats count by User]

and there is a basic problem with that search anyway, which is that you are using a field called "count", which does not exist - your timechart will produce a field called dc(symbol). I assume that is a typo and that your real search does dc(symbol) as count  

Hi @gcusello  I found this post as I am trying to solve the same issue. I followed your suggestion and copied all the monitor  stanzas from system\default\inputs.conf to my inputs file in system\local\inputs.conf; and inserted "disable = 1" to all of them. Then I restarted splunk. However, network capture from my Splunk Server still showing all the log entries being forwarded. Below is my inputs.conf file. Do you know what could be the issue? Thanks, Billy. [monitor://C:\Program Files\SplunkUniversalForwarder\var\log\splunk] disabled = 1 index = _internal [monitor://C:\Program Files\SplunkUniversalForwarder\var\log\watchdog\watchdog.log*] disabled = 1 index = _internal [monitor://C:\Program Files\SplunkUniversalForwarder\var\log\splunk\license_usage_summary.log] disabled = 1 index = _telemetry [monitor://C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunk_instrumentation_cloud.log*] disabled = 1 index = _telemetry sourcetype = splunk_cloud_telemetry [monitor://C:\Program Files\SplunkUniversalForwarder\etc\splunk.version] disabled = 1 _TCP_ROUTING = * index = _internal sourcetype=splunk_version [monitor://C:\Program Files\SplunkUniversalForwarder\var\log\splunk\configuration_change.log] disabled = 1 index = _configtracker [WinEventLog://Security] disabled = 0 renderXml = 1 whitelist = 4624, 4634

Not sure I understand the "single" bit of last(reserved) by host, as I assume there will be lots of different values for different hosts, however, you can do this ... | stats values(*-*) as *-* | foreach *-* [ eval <<MATCHSEG1>>=mvsort(mvdedup(mvappend(<<MATCHSEG1>>, '<<FIELD>>'))) | fields - <<FIELD>> ]

Preventing all time is a good idea because it effectively stops the time picker option from being used, so will stop less familiar users from making poor searches. As 'All Time' sets earliest=0, if someone wants to do 'all time', it's still technically possible, as you can just search 'last 10 years' or something similar, e.g. earliest=10, which is almost all time, but not quite, so those who "know" can get around it.    

You could/should set MC also in single node. Just like in distributed environment. The previous conf presentation shows you how to look those logs on OS level if those are not deliver into your splunk server.

Note that you only have to accept the license once (per newly installed version), not every time you run Splunkd using systemctl. You can thus run the "./splunk start --accept-license=yes"  command once, then afterwards use "systemctl start Splunkd"

Sure. When I remove that line, I get:   index=_internal | table _time sourcetype | head 5 | eval othertestfield="test2" | collect index=summary testmode=true addtime=true   When setting "Last 30 days" with the time picker, it produces another 5 rows, but I only paste the first one for brevity: _time sourcetype _raw othertestfield 2024-03-13T21:13:38.999+01:00 splunkd 03/13/2024 21:13:38 +0100, info_min_time=1707692400.000, info_max_time=1710361482.000, info_search_time=1710361482.294, othertestfield=test2, orig_sourcetype=splunkd test2 It seems the _time field is not set automatically to info_min_time, or else it should show something like 02/12/2024 in the _time part of the _raw field