Well, no. That's not how you do it. 1. I know it's not gonna help here but you forgot to do one very important thing as this is something you're not experienced with - plan and test. You should have deployed a test instance (possibly using a trial version of Splunk), then do your planned migration and verify if everything is OK. 2. You say you have RHEL servers. Are you even using RPM packages? You should. 3. If the instructions say "unpack new version over your existing files", it's _not_ the same as unpack and then overwrite with your existing files. At this moment it's hard to tell what config you ended up with and what's really happening underneath. You can check _internal index for errors. You can see whether your events are ingested into your indexes (for example by doing tstats over recent short period of time). In this case you might simply have a misnamed server (many reports in MC search for host with your server's name - if you changed it, it could have caused some confusion for Splunk).

we don't have permission to install the app. i will try to ask the infra team again. is there an option to add the alert result to this query? | rest splunk_server=local /servicesNS/-/-/saved/searches | where alert_type!="always" | table title,author,description,"eai:acl.owner","next_scheduled_time","action.email.to"

This would work but possibly not the way you meant. I suppose you want this part ([^\\"]+) To match everything up to (not including), the closing \" It doesn't work that way. It will match any sequence of any characters which are not either a backslash or a quote. Which means if your string would contain some escaped character (like \'), your match would terminate there. And since you explicitly want the \" part immediately adter that , the whole regex won't match. Oh, and since you're only matching the "static" parts of your events your match groups that you use for FORMAT will only contain those which is probably not what you want. You could try to fiddle with negative lookaheads/lookbehinds like (.*?\\"addressLine1\\":\\").*(?<!\\")(\\".*)

Hi @gillisme  The Splunk Doc(selected your version 8.2.6) suggest to copy /opt/splunk(from old to new system) and then install the Splunk on the new system. (this is important, as when Splunk is installing, it checks the config files and it need to alter the installation depending on the config files) https://docs.splunk.com/Documentation/Splunk/8.2.6/Installation/MigrateaSplunkinstance#How_to_migrate When you migrate on *nix systems, you can extract the tar file you downloaded directly over the copied files on the new system, or use your package manager to upgrade using the downloaded package. On Windows systems, the installer updates the Splunk files automatically. Stop Splunk Enterprise services on the host from which you want to migrate. Copy the entire contents of the $SPLUNK_HOME directory from the old host to the new host. Copying this directory also copies the mongo subdirectory. Install Splunk Enterprise on the new host. Verify that the index configuration (indexes.conf) file's volume, sizing, and path settings are still valid on the new host. Start Splunk Enterprise on the new instance. Log into Splunk Enterprise with your existing credentials. After you log in, confirm that your data is intact by searching it. The 4th step -  4- copy the old rhel6 /data/splunk dir on to the new rhel8 server, in the /data/splunk dir is incorrect. As the data buckets in hot buckets should be treated carefully. Pls check this below steps from the doc: How to move index buckets from one host to another If you want to retire a Splunk Enterprise instance and immediately move the data to another instance, you can move individual buckets of an index between hosts, as long as: When you copy individual bucket files, you must make sure that no bucket IDs conflict on the new system. Otherwise, Splunk Enterprise does not start. You might need to rename individual bucket directories after you move them from the source system to the target system. Roll any hot buckets on the source host from hot to warm. Review indexes.conf on the old host to get a list of the indexes on that host. On the target host, create indexes that are identical to the ones on the source system. Copy the index buckets from the source host to the target host. Restart Splunk Enterprise. PS - if any reply helped you, pls upvote/add karma points. if any reply solves your query, pls accept it as solution, thanks.

Hi @abedcx  The issue is the timestamp. i believe you found out some details from @richgalloway 's replies.  the Actual issue.. when you are searching, there are sooo many events with same timestamp, so Splunk is not able to do the searching. May we know what your search query(SPL).. we can fine-tune it, so that the Splunk will need not look into sooo many events. please suggest, thanks. 

Thank you so much for your time ,  @richgalloway    But i noticed that the splunk read the date from my csv and this date is for me not for splunk time    how can i tell splunk to not use this date (that is in my csv ) and make splunk to generate a date when indexing the data    in other words and as you can see in my bellow screenshot my date is the same and duplicated and i have more than 3 billion recoreds most of them same date and this date it's for me so how can i tell splunk to not use this date   

There is a hardcoded 256K (262144) fields limit on S2S receiver. So the connection will be terminated. It's likely that HF/SH will retry sending same data again, thus blocking HF/SH permanently.    Check if there is any issue with the field extraction on FWD side. After all 256K fields are too many for an event. Assuming you still need that event with 256K+ fields. Here is what you do. 1. Move all props.conf/transforms.conf settings for the input source/sourcetype in question. ( Note ERROR log on indexing side provides source/sourcetype/host). 2. Add following config in the inputs.conf of the source stanza in question so that parsing is moved from HF/SH to IDX tier. queue = indexQueue

I've run into that 10k limit before, for sure, but this is also something that I thought | format helped with? "mylist" directory, for example, might have 50k entries, but it's returned as a single line (1 row). thank you!  

Hi @splunkettes  - I’m a Community Moderator in the Splunk Community.  This question was posted 4 years ago, so it might not get the attention you need for your question to be answered. We recommend that you post a new question so that your issue can get the  visibility it deserves. To increase your chances of getting help from the community, follow these guidelines in the Splunk Answers User Manual when creating your post. Thank you!