Hey all, I have a 2019 windows client - sending some default data , but there are a handful of inputs that are visible on the inputs.conf in the apps folder (which some of the inputs on that very same inputs.conf are working)  that are not showing up on the front end.  These same apps and corresponding inputs are working on non-windows 2019 FWDs/clients Any ideas? Thanks!

Hi, it seems the "splunkd service" process has significant CPU consumption (eg 40%; 31% and so on). These virtual machines have 2 cores. how many CPUs are recommended in a windows server running the splunk universal forwarders agent?

Hi Team,    There is a two reports one report(1st report) has timestamp other report(2nd report) doesn't have timestamp so, extracted date from source filename..the report which doesn't have timestamp have few fields which needs to be join from 1st report and 2nd report but sometimes the 2nd report will not be received. In that case, which need to be pick up the previous day or available previous file. is there any earliest comparison and pick the values from 2nd report? what command to be used in that case?

Hello Community, I have distributed environment with 2 indexers (each has 48 vCPU, 64gb RAM), which are ingesting 200 gb logs/day (each indexer). I want to send to them another 200 gb  syslog logs per day (for each indexer), but I want to filter the logs before indexing. I would index only 10% of 200gb of that additional syslog logs at each indexer, so 90% would be rejected. Could you please tell me what are hardware requirements for such setup? I couldn't find any hints.

Dear All, I'm taking the freedom, to write here, just, to see, if, maybe, it would be possible, to get, some, of your support (it would be, regarding, query parameters, in a dashboard URL) So, just, to describe, the scenario: We are creating, a dashboard, using Splunk Enterprise Dashboard Studio (version 8.2.5) In that dashboard, we have placed, some inputs (3 normal dropdowns, 3 multiselect) Now, as, you may, probably, imagine, for each input, we have, an associated token (token1, token2, etc.) (so far, I guess, it's clear  ) Now, as you may, probably, know, when we use, a Classic dashboard (and, when we access, a specific one), we, in the dashboard URL, can, see, the inputs names (and their values) (just, to provide, with a basic example): https://server:8000/en-US/app/app_name/dashboard_name?form.input1=val1&form.input2=val2 (so, as we can see, with a Classic dashboard, this, all, is, good) Now, in our case, we are using, Dashboard Studio (as, you may, probably know, here, the URL, gets displayed, slightly different) In our example: https://server:8000/en-US/app/app_name/dashboard_name Now, our client, asks, if, when accessing this dashboard, it would, be possible, to see, the inputs (and their values), in the URL (just, as we do, in Classic dashboards) (as per my research, I haven't been able, to find, this possibility) To sum up: Kindly wondering, if, maybe, some of you, would be, kind enough, to provide, with some guidance  Thanks a lot! Sincerely, Francisco

Hi, Team I want to use tokens for email and xMater notification. I have one field named Server. So this is what I write for message for xMatter alerting: Data isn't refreshed in time on $result.Server$ But here's what I received: Data isnt refreshed in time on genesys-pulse-tko-04.hk.hsbc genesys-pulse-tko-04.hk.hsbc The name of server shows twice on the message.  Another case is I use token for email notification: here's what I write on splunk: The alert condition for $result.Server$ was triggered. here's what I receive when the alert is triggered: Anyone knows the reason of these cases?

When using HF to collect logs on the cloud， Because the add-on used cannot set host， So the host of the data is the name of HF， but it needs to reflect that the data comes from an impassable environment， And the same data type uses the same sourcetype. At present, the way I use is First, use different sourcetypes to access data  At this time, they have the same host （HF name） then, I use props and transforms to modify their host and Change their sourcetype to the same one the question is modify host and change sourcetype  Only one will take effect. Is there a way to modify the host first and then modify the sourcetype？ Or something better ？