Check out the lastPhoneHomeTime field returned by that endpoint.  It says when each client last connected to the DS.  Use that value to determine if a client is disconnected or not (you can decide how old the value needs to be). ... View more

How are you searching for the text now?  If you're using a regular expression, please share the regex. How would a five-year-old (a.k.a. a computer) know that "EDC5133I" is the text to find and not some other part of the TEXT field? ... View more

The admin credentials are used for certain CLI commands.  You should be able to start Splunk without admin creds, but that means the CLI commands that require them will not work.  It's pretty rare to need to use those commands on a UF. ... View more

You didn't answer the question.  🙂 Please tell us more about what you tried and how those trials worked.  "A number" isn't something we can work with. Are you extracting the field at search time or at index time?  What commands/settings are you using? ... View more

It would help to know what you've tried so far and how those efforts failed to meet expectations. Have you tried this regular expression? message":"(?<message>[^"]+) If you're extracting the string at search time then you will need to escape the quotation marks (\\\"). ... View more

That's not a lot to work with, but you probably should install the script as a scripted input on the HF. Never change anything in a default directory - use local. ... View more

I would consider putting inputs.conf and the props associated with the sourcetypes in those inputs into the same app.  I also would ensure all inputs are disabled by default. If multiple input.conf file reference the same sourcetype (like "syslog", to use a bad example) then I would move the props to a separate app.  This should help future maintainers realize the props are not specific to any one input. ... View more

I vote in favor of maintaining the split - not as an input/props split, but as an on-prem/cloud split.  Inputs that work on-prem probably don't work (at least not the same) in the cloud and props in one may not apply to the other. ... View more

That is exactly the solution.  See https://advisory.splunk.com/advisories/SVD-2026-0206   ... View more

If Cribl is sending to the HEC event endpoint then the data is treated as cooked by Splunk and index-time props will be skipped.  If the data is sent to the raw endpoint then it is uncooked and normal pipeline processing applies. ... View more

Just because there not a fix available now does not mean Splunk won't issue a fix. Yes, you can remove the jar file, but do so at your own risk.  At the very least, the file integrity checker will notice the missing file and alert you to it. ... View more

The safest and only supported way to take care of any Splunk "vulnerability" is to wait for Splunk to issue a version that corrects the problem and then install that version. ... View more

Windows should have a built-in tool to uninstall software.  There also are plenty of third-party tools to do so.  Splunk does not provide one. ... View more

There's not much you can do to prevent users from entering random index=foo lines into inputs.conf files without locking down the files or overwriting them from the DS.  There are some things you can do that might help. Define a "last chance" index.  Inputs with an index that doesn't exist will send their data here.  You can set up alerts to notify you when data arrives here so the input can be corrected. Use Ingest Actions in the intermediate forwarders or indexers to redirect data to the correct index, if it can be determined (by sourcetype, perhaps). Use data from the last chance index to create a "Hall of Shame" calling out those who do not follow the proper onboarding procedures. ... View more

The list of supported operating systems is in the Installation Manual.  Debian 13 is not on that list.  That doesn't mean Splunk won't work on Debian 13, just that Splunk Support may not be able to help you if you have a problem with Splunk on that OS. ... View more

Forwarders don't store data locally - they just forward it somewhere else. If data was stored locally you wouldn't be able to search for it since the data would not be on a search peer. ... View more

If the goal is redundancy, then the typical solution is to put a load balancer in front of two syslog servers and let each syslog server forward data as it is received. ... View more

The page is updated as new advisories are published.  Not every CVE will be listed, just those affecting Splunk. Consider subscribing to the RSS feed on that page so you know about updates as soon as they occur. ... View more

If the CVS is not mentioned in the advisory pages then Splunk has no advice on it.  Either there is no available fix for it or the CVE does not affect Splunk, but we won't know which until the advisory pages are updated. ... View more

The blog posting IS about on-prem AI, not cloud-only.  The service uses the cloud to support on-prem AI. Read more about in the manual at https://docs.splunk.com/Documentation/AIAssistant/1.3.2/User/AboutAIAssistant ... View more

Go to https://advisory.splunk.com/ and look up the CVE reported by your scanner to see what Splunk says about it.  There is a log4j advisory from 2021, but it may not apply to recent versions of Splunk. ... View more

https://www.splunk.com/en_us/blog/artificial-intelligence/introducing-splunk-ai-assistant-for-spl-through-a-cloud-connected-solution-on-prem-ai-without-the-gpu-hassle.html   ... View more

If you have a workload license, the Monitoring Console should have that information.  AFAIK, it's not available for ingest-licensed systems. ... View more

What is not working as expected regarding the Crowdstrike lookup? Verify the src field exists in the results when the lookup is performed.  Also, verify the lookup table has an nt_host field.  Confirm both fields use the same format, including case (unless the lookup is defined as case-insensitive). ... View more