You could do that, but I don't advise it.  When those VMs are rehydrated their Splunk license will (probably) be expired so they will not function in the same distributed fashion they do now. A better approach would be to archive a fresh download of the current Splunk software version.  When you need the archived data, launch a few VMs (a search head and some indexers), install the software, and thaw the data.  The fresh software installation will give you 30 days of distributed functionality. You could use a single VM on which to thaw the data and search it.  That gives you an unlimited period for searching (no license expiration after the switch to Free in 30 days), but will be much slower since it's just one indexer performing the search. Be warned that your "time capsule" of data may become the equivalent of an 8-track tape in a few years.  The current version of Splunk may not support the OS you're using (or is available) when you need the archived data.  Future versions of Splunk may not support the index format used today (although that's unlikely). ... View more

You must have permission to open/view cases before the dropdown will populate.  Contact your portal admin or the person who owns your Splunk license if you need to be on the entitlement. ... View more

PS can migrate live data to your Splunk Cloud stack.  I'm pretty sure they cannot migrate frozen data (couldn't when I was in PS).  The data will live only as long as you are subscribed to Splunk Cloud, however (plus 30-ish days). ... View more

Frozen data cannot be restored to Splunk Cloud.  You must stand up your own Splunk instances (local or virtual) for thawed data. ... View more

Yes, there is a way to troubleshoot.  Run the alert query manually and modify it until the expected results are produced. If you want help with this, please share the alert SPL. ... View more

You'll need to create a modular input to do that.  Use regular expressions to test the incoming data, discard matches and log the activity. ... View more

Start with the docs at https://help.splunk.com/en/splunk-enterprise/get-started/get-data-in/10.0/get-data-with-http-event-collector/share-hec-data.  It's labeled version 10, but should apply to 9.x pretty well. The endpoint URL is derived from your HF or indexer URL. https://mysplunkserver.example.com:8088/services/collector Details are in the docs. The sourcetype is specified in the HEC request, again, details in the docs.  https://help.splunk.com/en/splunk-enterprise/get-started/get-data-in/10.0/get-data-with-http-event-collector/format-events-for-http-event-collector ... View more

Try this SPL command  | rex mode=sed "s:([^\/]+):\1:" To make the change at index time, put this in props.conf: [mysourcetype] SEDCMD-postSlash = s:([^\/]+):\1: ... View more

I suspect the error message stems from a non-admin user trying to run a command as an admin user (the "admin" in 'servicesNS/admin/...').  Try running the command /services/search/jobs/rt_scheduler__admin__search__RMD55bf3dd661d6ebedc_at_1756741585_99.3/events?output_mode=json or /servicesNS/-/search/search/jobs/rt_scheduler__admin__search__RMD55bf3dd661d6ebedc_at_1756741585_99.3/events?output_mode=json to get the information available to the user (which may be nothing). If those don't give the desired results then you may need to give the user the list_search_scheduler or admin_all_objects capability. BTW, that endpoint is deprecated.  The user should switch to the v2 endpoint. ... View more

In Simple XML we would use an <init> stanza to set a static token value.  The equivalent in DS is a default stanza.  See https://community.splunk.com/t5/Dashboards-Visualizations/INIT-equivalent-in-Dashboard-Studio/m-p/633902 ... View more

Examination of the add-on itself ($SPLUNK_HOME/etc/apps/Splunk_SA_CIM/default) shows what KOs it creates. There are the datamodels, of course, and the macros used within them. There also are calculated fields, indexed fields, aliases, and reports for the audittrail, splunkd, and splunk_web_services sourcetypes. The stash_common_action_model sourcetype. Also defined are a KVStore collection, an external command, eventtypes, an index, inputs, REST endpoints, saved searches, tags, transforms, and dashboards. Some of these probably should be documented.  Submit feedback on the Docs page to request it. IMO, every TA should be examined before it is installed to see what it brings to the environment.  This helps to prevent undesired side-effects and makes the admin aware of any local changes that may be needed (like to indexes.conf). ... View more

You are correct in that the collect command duplicates events.  There is no way to move an event from one index to another. The recommended (but painful) way to delete events is: Use collect to copy the desired events to a temporary index Delete the old index or set frozenTimePeriodInSecs = 1  Use collect to copy the desired events from the temporary index back to the old one Delete the temporary index You can avoid steps 3 and 4 if you can change your KOs to use the new index name in place of the old one.  This should be easy if you have a macro for the index name. ... View more

To answer the first question, there is no way to skip parts of a query.  SPL does have branching or conditional execution.  Commands are processed from beginning to end with the exception of the require command which aborts the query if there are no results. I don't have alternatives, however.  There are ways to speed up the query (like combining the inputlookup and where commands), but no simple way to accomplish the goal. BTW, the description says it takes [first:last-1] entries, but use of the tail command means it's taking [first+1:last]. ... View more

Please share the code that generates the data for the map. ... View more

More details would help us better understand the problem so can offer solutions. If recent logs are not found in Splunk then try these steps confirm the application is still running confirm the Splunk forwarder is still running If the application overwrites the file then it's possible Splunk thinks it has already indexed the data.  In that case, you may need to update the initCrcLenth setting in inputs.conf. ... View more

To ensure proper processing of data, EVERY sourcetype should have settings in a props.conf file.  This keeps Splunk from having to guess about the data and improves onboarding performance. If data with the XmlWinEventLog:ForwardedEvents sourcetype looks similar to data with the XmlWinEventLog sourcetype then it's a simple matter of copying the XmlWinEventLog stanza in props.conf to create a XmlWinEventLog:ForwardedEvents stanza. ... View more

If your problem is resolved, then please click the "Accept as Solution" button to help future readers. ... View more

The session timeout setting is global.  There are no user-specific or role-specific timeout settings. ... View more

By default, a character class (anything inside square brackets) will match a single character.  That's why you get only "A".  Use a quantifier ('+' or '*') to match multiple characters. The current regex matches anything that is not an asterisk, which would be everything in the sample data.  I expect this is not the intent.  Try this regular expression, which matches up to the first backslash in the MessageType field. MessageType\\":\\"(?<Type>[^\\]+) Note: You probably will need to escape the embedded quotation marks in the expression to get it to work in SPL.  Because of the multiple layers of processing, multiple escapes are required - something like this MessageType\\\\\":\\\\\"(?<Type>[^\\]+)   ... View more

This is a challenge because how different users might define "unused" and because there is no tag to say if data is "used" or not.  A good starting place, at least for Splunk Cloud users, is the "Underutilized source type(s)" alert in the CMC. Other users will need to craft a search that scrubs logs for sourcetype references and another search that compares those references to a list of all sourcetypes on the system.  It won't be perfect, either.  See .conf24 session PLA1837B for more info and SPL to get you started. ... View more

Why do you want to associate indexes with indexers?  Doing this breaks parallelism and will make searching each index take twice as long as it would if the data was evenly distributed across both indexers. If you're seeing all of your data on indexer02 then the load balancing settings in the HF should be adjusted.  Or, better yet (as @isoutamo suggests), eliminate the HF. ... View more

Splunk rarely announces future features.  We won't know it's coming until it's here. Consider going to https://ideas.splunk.com to request it. ... View more