Which HEC endpoint are you sending to?  The behavior is different depending on the endpoint.  The /event endpoint will ignore props settings, but the /raw endpoint honors them. The TIME_FORMAT value doesn't match the data.  Try using %Y-%m-%dT%H:%M:%S%:z ... View more

That's a Splunk app that's no longer supported and has been archived.  It was never supported on Splunk Cloud. You can try uploading it as a custom app, but Splunk may recognize it and reject it.  If that happens then you'll need to rename the app, making sure to change the directory name and update app.conf.  Even then there's no guarantee it will pass vetting. ... View more

This forum is for questions and answers about Splunk products.  It's not a consultation service.  If you need someone to look at your system then Splunk offers On Demand Services and Professional Services for that. Have you enabled inputs in the Splunk Add-on for Windows on the UF?  Did you restart the forwarder after enabling the inputs?  How did you determine no data is being ingested? ... View more

The Search Head determines if the alert should be displayed or not so that is where the threshold is set.  Go to Settings->Health Report Manager to change the threshold. ... View more

The Forwarder Management page in the DS will do that for you.  If it doesn't show what you want then please tell us your use case and we can suggest something. ... View more

The data is a simple CSV file so the props just need to specify that. [sap:systemlog] INDEXED_EXTRACTIONS = csv DATETIME_CONFIG = CURRENT No need for REPORT or EXTRACT. ... View more

There appear to be a few problems here. 1) The SharePoint app should have a single folder called 'default'.  The default folder should contain the files shown in the first screenshot. 2) Universal Forwarders do not consume disk space so filtering will not save any there.  Caveat: if you use persistent queuing then the UF will use disk space, but the space will be returned once the queue is drained. 3) Universal Forwarders do not process transforms so they cannot filter events this way.  Put the props and transforms on the first full instance that touches the data (indexer or heavy forwarder). ... View more

Splunk has a few courses on ITSI at https://education.splunk.com/Saba/Web_spf/NA10P2PRD105/guestapp/catalog/search?searchText=ITSI   ... View more

Do the Google and ChatGPT tricks include this? ... | chart sum(cost) AS total_cost BY bill_date | eval total_cost = "$" . total_cost I'm not entirely sure it will work, but worth a try. ... View more

python.version = python3.10 is not a valid setting.  Allowed values are default, python3, python3.7, or python3.9.  I don't know how you were able to add Python 3.10 to Splunk, but doing so does not change the validation of python.version settings.  I strongly recommend using only the versions of Python that ship with Splunk (3.7 or 3.9). ... View more

Please tell us more about the problem you are trying to solve so we can find a solution for you. ... View more

Contact Splunk Support.  They may have a link to a version that works for you. ... View more

You must have a license to run ES before you can download it.  A Developer license does not grant access to ES. ... View more

To allow the UF access to port 514, try this setcap 'cap_net_bind_service=+ep' /path/to/uf ... View more

Those error messages are saying Splunk does not have permission to use port 514.  All ports <1024 are "privileged" and require special permission to access.  Running Splunk as root will solve that, but I highly discourage that. The recommended practice is to send syslog data to a dedicated syslog receiver (syslog-ng, for example), have it write the data to disk, and have a UF monitor those disk files.  You also can use Splunk Connect 4 Syslog (SC4S) to send the data directly to Splunk. ... View more

Adding on to @livehybrid's response, sending TCP/UDP directly to a Splunk instance is discouraged.  The reason is any time that instance restarts data is lost.  Also, the usual distance between the data source and Splunk increases the chances of UDP data getting dropped. ... View more

Check out the search_et and search_lt fields. ... View more

What have you tried so far?  What were the results? ... View more

Are you using the exact same time span each time?  That is, not '-24h', but "2025-06-23:15:10:00". Please share your SPL. ... View more

For some reason, Splunk has stopped receiving data.  It could be because of any of several reasons.  Check the logs on indexer for possible explanations.  Also, the Monitoring Console may offer clues - look for blocked indexer queues. ... View more

Contact Splunk Support for versions not available on the web site. ... View more

An unset token has no value, but it is not null, either.  It's as though the token doesn't exist. Splunk will not execute a query if any of the tokens within it are undefined. ... View more

The REST API lets you run searches and retrieve the results, but cannot render visualizations.  That's normally done by the web browser so if you're not using that then Splunk visualizations are not possible.  The customer would have to use the data fetched by the API in another tool to create charts. ... View more