hi @jotne it works great, just small favor. how do i stop it if it sees the below line 'aggregation groups'? with data below? cause its also capturing that part, but the rest is great. ty name                    id    speed/duplex/state            mac address       -------------------------------------------------------------------------------- ethernet1/3             66    1000/full/up                  b6:2c:23:e0:40:42 ethernet1/4             67    1000/full/up                 b6:2c:23:e0:40:43 ethernet1/5             68    10000/full/up                 b6:2c:23:e0:40:44 ethernet1/6             69    10000/full/up                 b6:2c:23:e0:40:45 ethernet1/7             70    10000/full/up                 b6:2c:23:e0:40:46 ethernet1/8             71    10000/full/up                 b6:2c:23:e0:40:47 ae1                     16    [n/a]/[n/a]/up                b6:2c:23:e0:40:10 ae2                     17    [n/a]/[n/a]/up                b6:2c:23:e0:40:11 ha1-a                   5     1000/full/up                  d1:f4:b3:c3:25:97 ha1-b                   7     1000/full/up                  d1:f4:b3:c3:25:96 vlan                    1     [n/a]/[n/a]/up                b6:2c:23:e0:40:01 loopback                3     [n/a]/[n/a]/up                b6:2c:23:e0:40:03 tunnel                  4     [n/a]/[n/a]/up                b6:2c:23:e0:40:04 hsci                    8     40000/full/up                 01:20:6c:1c:81:08 aggregation groups: 0

@ansusabu_25 the app is not ES specific but can be installed on any SH. You should have the option already shown to you and this will stop the multiple artifacts being created. At the moment, multiple artifacts are created due to there being 1 or more MV fields in the results data. If you set the setting already shown then you will get 1 event with 1 artifact in but the values for some of the fields will be lists which you will need to handle in playbooks, as in configure any blocks to be able to process single and list items. Previously I have used a playbook on ingest to split the MV fields into artifacts without all the additional duplication.  Hope this helps! Happy SOARing!! 

@Komal0113  Certainly! If the IDP certificate setup isn’t working as expected, you can create your own certificate for SAML configuration in Splunk. Here are the steps to achieve this: https://docs.splunk.com/Documentation/Splunk/9.2.0/Security/Howtoself-signcertificates   

@ujju219  To use the Splunk Add-on for MySQL Database, you’ll need to configure appropriate permissions for the MySQL user. Here are the recommended steps: MySQL User Permissions: The MySQL user account used by the Splunk Add-on requires specific permissions to interact with the database. Assign the following permissions to the MySQL user: SELECT: Required for reading data from the MySQL database. SHOW DATABASES: Needed to list available databases. SHOW TABLES: Necessary to discover tables within a database. REPLICATION CLIENT: Required for reading binary logs (if applicable). EXECUTE: Needed for executing stored procedures (if used). Database-Specific Permissions: If you’re connecting to a specific database, grant additional permissions based on your use case: Read-Only Access:If the Splunk Add-on only needs to read data, grant read-only access to the specific database and tables. Write Access:If you plan to write data back to the database (e.g., summary index), grant appropriate write permissions. Host and Port Permissions: Ensure that the MySQL user has permission to connect from the host where the Splunk instance (heavy forwarder or indexer) is running. Grant access to the specific IP address or hostname of the Splunk server. Verify that the MySQL server allows connections on the specified port (usually 3306). Secure Credentials: Store the MySQL user credentials securely in Splunk. Use Splunk’s credential management system to avoid hardcoding credentials in configuration files. Splunk DB Connect Configuration: In Splunk, configure the Splunk DB Connect input to connect to the MySQL database using the MySQL user credentials. Specify the database name, hostname, port, and other relevant details. Test the Connection: After configuring the input, test the connection to ensure successful communication between Splunk and MySQL. Verify that data retrieval works as expected. Remember to document the permissions granted to the MySQL user and monitor the data collection process. If you encounter any issues, refer to the official Splunk documentation for additional guidance.  https://docs.splunk.com/Documentation/AddOns/released/MySQL/Setup  Configure Splunk DB Connect security and access controls - Splunk Documentationhttps://docs.splunk.com/Documentation/DBX/3.15.0/DeployDBX/Configuresecurityandaccesscontrols 

Hi @kate, as you can read at https://docs.splunk.com/Documentation/VersionCompatibility/current/Matrix/Compatibilitybetweenforwardersandindexers you can define the compatibility between the UFs versions and Splunk Enterprise; then Splunk Cloud is aligned to the last version of Splunk Enterprise. About Ubuntu, you can see at https://www.splunk.com/en_us/download/universal-forwarder.html : in few words, you have to understand wich kernel version has you Ubuntu, but in general, the last version of UF is compatible with kernel >3.x, in other words: all! Ciao. Giuseppe  

@kate  The Splunk Cloud Platform is compatible with the Universal Forwarder for data collection. Let’s determine the appropriate version of the Universal Forwarder for your use case: Universal Forwarder Compatibility: The Universal Forwarder is the best choice for collecting data from systems in your environment with minimal resource requirements. For Splunk Cloud, you should use a Universal Forwarder that aligns with the Splunk Cloud version you are using. Recommended Version: Based on the compatibility matrix, the following Universal Forwarder versions are compatible with Splunk Cloud 9.1.2308.203: 9.0.x 9.1.x 9.2.x Deployment Considerations: Deploy the Universal Forwarder on your Ubuntu (Debian 64-bit) systems. Configure it to send data to your Splunk Cloud instance. Remember to verify the compatibility and monitor the data collection process. You can find more details in the Splunk documentation. https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/UsingforwardingagentsCloud  https://docs.splunk.com/Documentation/VersionCompatibility/current/Matrix/Compatibilitybetweenforwardersandindexers  https://docs.splunk.com/Documentation/Forwarder/9.2.0/Forwarder/Deploy