From the Installation Manual Upgrading Splunk Enterprise directly to version 9.0 is only supported from versions 8.1.x and higher. Upgrading a universal forwarder directly to version 9.0 is supported from versions 8.1.x and higher. See https://docs.splunk.com/Documentation/Splunk/9.0.1/Installation/AboutupgradingREADTHISFIRST

How did you make the change?  If you used the GUI then it's possible the change never propagated (I've heard rumors about this happening).  Config changes on Splunk Cloud should be made in an app which you then upload and install.

Computer terms can be confusing since they often have several meanings. "source" is where the data comes from.  In Splunk metadata, the source is the name of the file from which the data originated.  "source" can also refer to the originating server or app. "endpoint" usually refers to a user workstation, but a specific REST command is also an endpoint.

Assuming that you configured your HEC port to be 8088, that URL looks correct to me.  Also, that endpoint expects JSON data - is that what Blue Prism is sending? There are several REST endpoints you can post to for the Splunk HEC documented here. Also, here is a page with some curl commands you can use to test out the HEC endpoint locally to rule out where the issue is - that is, if it works with curl, then is there a network issue in between (e.g. firewall). HTTP Event Collector examples - Splunk Documentation       https://mysplunkserver.example.com:8088/services/collector  

Hi again @gcusello  Thank you for your information. My priority is to monitor the pc's. It would be great if you can let me know whether if it is possible to check https without checking the server but with directly getting information from the pc's. I've tried to look through my laptop's data logs but I don't think I can access to them.  It would be great if there are step-by-step explanation of it. thank you in advance

Sorry about the late update. This gives me earliest events' _time for all the selected indexes. I still have to filter out those that have been created in my selected time range which seems doable as below. But for some reason running this isn't giving be the answer I want.  Just like a join wouldn't work for  index=*  as opposed to an individual index. I can't explain what's happening.   | tstats min(_time) as earliest_event where earliest=-6mon latest=now [search index=_internal source=/opt/splunk/var/log/splunk/cloud_monitoring_console.log* TERM(logResults:splunk-ingestion) earliest=-30d latest=now | rename data.* as * | fields idx | rename idx as index] by index | eval cutoff = relative_time(earliest_event,"-30d") | where earliest_event>cutoff    

Apparently you can only do this on splunk cloud.  I don't see this option as of 9.05. https://www.splunk.com/en_us/blog/tips-and-tricks/dashboard-studio-show-or-hide-the-latest-features-in-splunk-cloud-platform-9-0-2303.html

Hi @QuantumRgw , your requirement is very larger than I thought: you have to monitor the server, the pcs and the network to identify eventual threats. When you'll have all these logs, you have to identify the possible variation or threats, it isn't an immediate job, you shoudl better analyze your perimeter (definying all the logs to use) and identify all the Use Cases to implement. Ciao. Giuseppe

Hello @gcusello  I would like to monitor the log data from the pc's in the business firm where the pc's are connected to the server. I am planning to install universal forwarder to each pc and forward it to a Host pc in the firm. I want to monitor if there is an out of ordinary events. These range through if simple pc activity monitoring like https, security events, brute force attacks etc.. I don't know whether monitoring the server would be the https logs of the pc's or single installation of each one and forwarding it will give it to me. thank you for the (https://splunkbase.splunk.com/app/3435)  security essentials,