I have been testing out SmartStore in a test environment. I can not find the setting to control how quickly data ingested into splunk can be replicated to my S3 bucket. What I want is for any data ingested to be replicated to my s3 bucket as quickly as possible, I am looking for the closest to 0 minutes of data loss. Data only seems to replicate when the Splunk server is restarted. I have tested this by setting up another splunk server with the same s3 bucket as my original, and it seems to have only picked up older data when searching.    max_cache_size   only controls the size of the local cache which I'm not after   hotlist_recency_secs   controls how long before hot data could be deleted from cache, not how long before it is replicated to s3   frozenTimePeriodInSecs, maxGlobalDataSizeMB, maxGlobalRawDataSizeMB   controls freezing behavior which is not what I'm looking for. What setting do I need to configure? Am I missing something within conf files in Splunk or permissions to set in AWS for S3?  Thank you for the help in advance!

Hello, I'm looking for assistance with a webmail-only report, I ran a query and I only got ActiveSync output, my customer is only interested in OWA not ActiveSync as a report for their users. Code which produced only Active Sync. index="iis_logs_exchxxx" sourcetype="iis" s_port="443" c_ip!="10.*" c_ip!="127.0.0.1" c_ip!="::1" cs_method!="HEAD" cs_username="*@domain.com" | iplocation c_ip | eval alert_time=_time | convert ctime(alert_time) timeformat="%m/%d/%Y %H:%M:%S %Z" | table alert_time,cs_username,cs_User_Agent,c_ip, City, Region, Country | stats values(c_ip) by alert_time,cs_username,cs_User_Agent,City,Region,Country | rename cs_username AS "Username", values(c_ip) AS "IP addresses", cs_User_Agent AS "Device Type", alert_time AS "Date/Time"

Hi, I am runing Splunk Stream to collect DNS data from Domain Controllers. On some of the busy DCs the Splunk_TA_stream is generating lots of the following errors:     ERROR [9412] (SplunkSenderModularInput.cpp:435) stream.SplunkSenderModularInput - Event queue overflow; dropping 10001 events     Looking at the Splunk Stream Admin-Network Metrics dashboard these seem to occur at the same the Active Network Flows seem to be hitting a limit: I would like to increase the number of network flows allowed in an attempt to stop the event queue overflows. Looking at the documentation I can see 2 configurations that seem relevant: maxTcpSessionCount = <integer> * Defines maximum number of concurrent TCP/UDP flows per processing thread. processingThreads = <integer> * Defines number of threads to use for processing network traffic. Questions: 1) What is the default for maxTcpSessionCount and processingThreads? 2) Would parameter would it be better to increase? Also are these the correct parameters to be looking to tune with the errors I am getting. If not what should I look at?