The short term solution we went with was to update the deployer_lookups_push_mode to not update the lookups as part of the push. Then, any time we needed to update the lookups, we leveraged the lookup editor app's API endpoint to make our updates (/services/data/lookup_edit/lookup_contents) as part of our ci/cd pipeline which we use to push updates to the cluster. There are example scripts posted online you should be able to find pretty easily in order to do this. It's not the most elegant solution, but it's getting us through until we can upgrade

Hi Actually you can but you shouldn't Just "play" with port numbers on conf files and use tar package and install those on separate directories. This is doable on lab env, but never do this on production. But you shouldn't start your Splunk career with this kind of hack. Just use enough VM's etc. r. Ismo

Hi you should just enable that input on your linux box inputs.conf. BUT there is issue if you are using other than local accounts on /etc/passwd (like AD or ldap authentication). This passwd.sh reads only events on /etc/passwd file nothing else. It's quite common that most of users are on LDAP or AD and they are authenticated and authorise against those directories. Then there is no information of those users on local server. Probably most linux shops (more than couple of servers) do it that way. Unfortunately Splunk_TA_nix didn't support currently anything else than local accounts. Basically you could try to create a new check like passwd_getent.sh which is copy from passwd.sh with next modification. CMD='eval date ; eval LD_LIBRARY_PATH=$SPLUNK_HOME/lib $SPLUNK_HOME/bin/openssl sha256 $PASSWD_FILE ; cat $PASSWD_FILE' ====> CMD='eval date ; eval LD_LIBRARY_PATH=$SPLUNK_HOME/lib $SPLUNK_HOME/bin/openssl sha256 $PASSWD_FILE ; getent passwd' This should work in most recent linux versions, but unfortunately I haven't suitable environment test it now. Of course you need to fix check also on inputs.conf too. r. Ismo

What do you mean by "throughput limit"?  The UF has a rate limit which defaults to 256kbps.  The UF will read data at that rate until it catches up (if ever), but it will not stop reading. Tell us more about the symptoms so we can offer suggestions.

On MC (monitoring console) is own dashboard to show license usage. There are some selection by which you can see values. Just go Settings -> Monitoring Console  Indexing -> License Usage -> Historic License Usage then Split By: By Index Otherwise if you have all in one server you could check this also from Settings -> Licensing Usage Report Previous 60 days Split by: index   Those both shows by N (10?) biggest indexes. If you want to check some specific index then just copy that query by opening it from magnify glass. Then modify it something like index=_internal idx=<YOUR INDEX NAME> [ `set_local_host`] source=*license_usage.log* type="Usage" | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | bin _time span=1d | stats sum(b) as b by _time, pool, s, st, h, idx | timechart span=1d sum(b) AS volumeB by idx fixedrange=false | join type=outer _time [ search index=_internal idx=<YOUR INDEX NAME> [ `set_local_host`] source=*license_usage.log* type="RolloverSummary" earliest=-30d@d | eval _time=_time - 43200 | bin _time span=1d | dedup _time stack | stats sum(stacksz) AS "stack size" by _time] | fields - _timediff | foreach * [ eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)] r. Ismo

Thank you for your answer, unfortunately i tested your answer on my real data that are quiet complex than the one I gave. I need to work on  statement included in a xml field from sys event log. Some statements have only one word and other have more than two words. Statement is delimited by a carriage return in the event. So the search | rex ".*statement:(?<statement>\w+(\s\w+)?)" In the event below  the statement field returned is sp_addlinkedsrvlogin additional_information The word after sp_addlinkedsrvlogin is on the next line, so it's not what i expect. In this case, i just want sp_addlinkedsrvlogin Please find the complete event above.   Regards, Tchounga <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='MSSQL$MWPBZAS1$AUDIT'/><EventID Qualifiers='16384'>33205</EventID><Level>0</Level><Task>3</Task><Keywords>0x80a0000000000000</Keywords><TimeCreated SystemTime='2023-08-31T04:30:01.964529800Z'/><EventRecordID>134063208</EventRecordID><Channel>Security</Channel><Computer>swpcfrbza354.cib.net</Computer><Security UserID='S-1-5-21-2847098101-2387550839-3588296759-1127899'/></System><EventData><Data>audit_schema_version:1 event_time:2023-08-31 04:30:00.9332742 sequence_number:1 action_id:CR succeeded:true is_column_permission:false session_id:53 server_principal_id:272 database_principal_id:1 target_server_principal_id:0 target_database_principal_id:0 object_id:0 user_defined_event_id:0 transaction_id:5417128 class_type:SL duration_milliseconds:0 response_rows:0 affected_rows:0 client_ip:100.83.120.237 permission_bitmask:00000000000000000000000000000000 sequence_group_id:93E8A6AF-640E-4EC2-B401-76F0ED6957A9 session_server_principal_name:CIB\ipcb3proc-sqlag-bd4 server_principal_name:CIB\ipcb3proc-sqlag-bd4 server_principal_sid:010500000000000515000000f544b3a977224f8e3710e1d5dc351100 database_principal_name:dbo target_server_principal_name: target_server_principal_sid: target_database_principal_name: server_instance_name:SWPCFRBZA354\MWPBZAS1 database_name:master schema_name: object_name:LSuser statement:sp_addlinkedsrvlogin additional_information:&lt;action_info xmlns="http://schemas.microsoft.com/sqlserver/2008/sqlaudit_data"&gt;&lt;server_name&gt;&lt;![CDATA[SWPDFRSQLADM1\MWPADM01]]&gt;&lt;/server_name&gt;&lt;/action_info&gt; user_defined_information: application_name:SQLAgent - TSQL JobStep (Job 0x451A71BE3BB91D4DBF2A1A6C12446006 : Step 1) </Data></EventData></Event>