only 1 of my indexer having this issue  during upgrade. firstly , i use domain account to install  Then encounter this issue : Splunk Enterprise Setup Wizard ended prematurely Splunk Enterprise Setup Wizard ended prematurely because of an error.  Your system has not been modified.  To install this program at a later time, run Setup Wizard again.  Click the Fiinish button to exit the Setup Wizard.   Setup cannot copy the following files:  Splknetdrv.sys SplunkMonitorNoHandleDrv.sys SplunkDrv.sys after then i refer to this KB : https://community.splunk.com/t5/Installation/Why-does-Splunk-upgrade-to-version-9-1-0-1-end-prematurely/m-p/652791 follow this step : Solution: Install Splunk from the command line and use the LAUNCHSPLUNK=0 flag to keep Splunk Enterprise from starting after installation has completed. For example : PS C:\temp> msiexec.exe /i splunk-9.0.4-de405f4a7979-x64-release.msi LAUNCHSPLUNK=0 You can complete the installation, and before running SPLUNK, you need to grant the user "Full Control" permissions to the Splunk Enterprise installation directory and all of its subdirectories. Splunk upgraded succesufully to 9.1.2 but not able to start . i changed to local admin and try repair but yet still hit  same error : Setup cannot copy the following files:  Splknetdrv.sys SplunkMonitorNoHandleDrv.sys SplunkDrv.sys my splunk services still not able to start and cant see any error in logs. The Splunk services are still unable to start, and there are no apparent errors in the logs. Can anyone provide assistance with this issue?  

Have a simple dashboard filtering logs by AppID's and related Servername. First dropdown search defaults to "*" for all AppID's but search obtains all AppID's which you can select and has a token for $AppID$ eg. "index="applogs" sourcetype="logs:apps:inventory" | table AppID | dedup AppID | sort AppID" Second dropdown searches by $AppID$ token of First dropdown, to get the list of Servernames returned for selected AppID eg. "$AppID$" index="syslogs" sourcetype="logs:servers:inventory" | eval Servername = host."\\".InstanceName | table AppID Servername | dedup Servername | sort Servername This has a token for $Servername|s$ (escape chars in server name), which gets added to a bunch of search panels. For example, select App49 in first dropdown, and it returns ServerA, ServerB, ServerC, ServerD in the second dropdown. Selecting ServerA, B, C or D in the second dropdown then searches bunch of panels filter by that Servername token. Thats all working fine, but by default I want the option to search all panels by all $Servername$ options in the second dropdown related to the selected AppID. Adding a "*" wildcard option in second dropdown as in the first, just returns all Servernames, not the ones filtered by the $AppID$ token. How can I default my second drop down to an "All" option that does this? eg. searches all panels by all the results that get populated in the second dropdown from the $AppID$ of the first?

Hi, We are ingesting data into Splunk Cloud to below index: ------------- index=zscaler source=firewall -------------   Is there a way we can forward this (from Slunk Cloud) to Trend Micro's HTTPS API or a TCP stream?   Thanks in advance for any help!