Imagine I have an app with Intrusion Detection data  If I want to make my app CIM compliant I need to add aliases, tags and calculated fields like in the Intrusion Detection Datamodel ? For example, if I have a field called "Alert level", I need to create an aliases in my app in order to rename it as "severity_id"? Or is it better to create a own datamodel from my app and to query from this datamodel with tstats? | tstats count from datamodel=TEST

The btool command shows *all* of the settings that will be applied the next time Splunk restarts.  It takes file precedence into account when generating the output.  The first column produced by the --debug option is the name of the file from which the setting was read.

Hello @MihaiGheorghita , You can restore access to older jQuery libraries on the following path:  Go to your Search Head and then: - In the Search & Reporting app, select Settings > Server Settings, and then select Internal Library Settings >  toggle the jQuery Libraries older than 3.5 section to restrict/unrestrict older jQuery libraries. Doc: https://docs.splunk.com/Documentation/UpgradejQuery/1/UpgradejQuery/LibrarySettings#Restrict_access_to_older_versions_of_jQuery Thanks.

I'll presume you've read the CIM manual at https://docs.splunk.com/Documentation/CIM/5.3.1/User/Overview .  What specific questions do you have about what you read (or couldn't find)? CIM is not an Easy Button.  That is, installing the app will not make your apps CIM-compliant.  Instead, you must add aliases, calculated fields, and/or other KOs so your app will produce CIM-compliant data.  The CIM manual lists the fields expected by each datamodel (not all fields are required). Depending on your app, it's possible no DM will apply.  That's OK.

Hi @Mad2, about Universal Forwarder, as @richgalloway said, you don't need it if you have a full Splunk instance, even if it's a lab installation. About the opportunity to have Search Head, Indexer and Monitoring Console on the same server, it's possible if you have a stand alone Splunk Server , and to have it, you don't need to do nothing, only install Splunk. If instead you have a distributed architecture, with more SHs and/or more indexers, it isn't possible: you must have dedicated systems for SHs and different dedicated systems for IDXs. Monitoring Console could share the system with other roles, but not SHs, IDXs and Deployment Server (if you have to manage more than 50 clients). Ciao. Giuseppe

Don't install multiple instances of Splunk on the same server as that invites trouble.  It can be done, but it requires and lot of customization. There's no need to have a UF on the same server as a full instance of Splunk since the full instance can do everything a UF can do (and more).

... you have to click the data collector rule you want to choose the business transactions for, to highlight it, and then click on 'Configure Transactions using this Data Collector,' to bring up this box, where you select the business transactions within which the method will be called, and move it over the the left, then click 'save.'  If you haven't done this part, the data will never make it to Analytics, even if it is showing up in Snapshots.

As of ES 7.2, auto-refresh feature is available on Incident Review Page. Auto-refresh is paused when selecting or editing a Notable.  This will allow you to work the notable without refreshing the list.  You can manually re-load the IR Page and Auto-refresh is turned back on. See below KB for more details on how to enable it: https://docs.splunk.com/Documentation/ES/7.3.0/Admin/CustomizeIR#Configure_auto-refresh_to_update_notables 

@ITWhisperer however, I need to create a parser which will parse the events which have the timestamp like  "time: 2024-02-15T11:40:26.498494245Z" I read on the community that Splunk does not support nanoseconds. so, if I put in the microseconds logic(%Y-%m-%dT%H:%M:%S.%6Q%Z), will I get the values till microseconds?