Hello, I have in the "Network_Traffic.All_Traffic" a Calculated Field called "rule". The Datamodel is accelerated, therefore the eval expression is not editable from Web UI and I cannot see the expression to extract/calculate the field. I tried searching in all the *.conf files but I do not find it, I was expecting to find it on a props.conf I know the workaround is to temporary disable the acceleration, so that the calculated field becomes editable and I can see how it is calculated, but I would like to avoid doing that. Is there any other way to do that OR do you know where the Datamodel Calculated Fields are saved? Thanks a lot, Edoardo

Hi Splunkers, I struggled badly trying to get this solved, but no luck? I need to join to a different search using the ip_address to get the host name : Base search for the join: index= X  sourcetype=server  dv_ir=4311.00. The dv_name field is the host name and the dv_ip_address is the ip_address. Any help will be appreciated. Thank you all!  

I've had quite a good look around the internet and have been unable to find an answer to this question. This question in particular touches on it, but the performance comparison is left unanswered. We are thinking about moving away from Splunk UF to an open source solution, which will likely only support HEC. Before making this change I'd like to know any consequences on performance/resource usage on the indexers. What are the impacts on resource usage and index/search performance between UF and HEC?

I am not able to find the host field information for the events coming from a particular machine.  This is related to a particular source type. Other logs from a different source type from the same machne has host field information. Events are reaching splunk, but they are missing host field information. Can someone help?

I have used the "Prometheus Metrics for Splunk" plugin from the Splunk Apps to get data from the Prometheus remote write. Both Prometheus and Splunk are installed on the local Windows machine (for testing).  A Prometheus remote write is used to send data to the splunk. Splunk Configuration ```` [prometheusrw] port = 8098 maxClients = 10 [prometheusrw://856412] bearerToken = ABC123 index = prometheus whitelist = * sourcetype = prometheus:metric disabled = 0 ```` Prometheus configuration ```` - url: "http://localhost:8098" authorization: credentials: "ABC123" tls_config: insecure_skip_verify: true write_relabel_configs: - source_labels: [__name__] regex: expensive.* action: drop ```` prometheus error log: ```` ts=2022-07-12T11:40:22.139Z caller=dedupe.go:112 component=remote level=info remote_name=856412 url=http://localhost:8098 msg="Done replaying WAL" duration=10.5184238s ts=2022-07-12T11:40:22.438Z caller=dedupe.go:112 component=remote level=warn remote_name=856412 url=http://localhost:8098 msg="Failed to send batch, retrying" err="Post \"http://localhost:8098\": EOF" ```` Suggest corrections/ways to get prometheus data to Splunk.