@richgalloway I don't see a message when i executed the search mentioned below, let me help you with the below context and props.conf configuration. Can you please help me with the line breaking and truncate issue which I am seeing for the nested Json events coming via HEC to splunk. This event size is almost close to 25 million bytes where as the truncate limit is set to 10000 only.I was not allowed to set the truncate limit to 0 due to performance issues.I want to break this nested event into multiple events starting from Source_System Example of an event: {"sourcetype": "abc_json","index":"test", "event":{"severity":"INFO","logger":"org.mule.runtime.core.internal.processor.LoggerMessageProcessor","time":"XXX","thread":"[MuleRuntime].xxx.123: [App name].post:\\schedules:application\\json:app.CPU_INTENSIVE @xxxx","message":{"correlationId":"XXXX","inputPayload":[{"Source_System":"TEST","Created_By":"ESB","Created_Date_UTC":"1900-XX-01T02:59:14.783Z","Last_Updated_By":"ESB","Last_Updated_Date_UTC":"2020-07-25T03:34:31.91Z",]},{"Source_System":"TEST2","Created_By":"ESB","Created_Date_UTC":"1900-XX-07T02:59:14.783Z","Last_Updated_By":"ESB","Last_Updated_Date_UTC":"1900-XX-25T03:34:31.91Z",]},{"Source_System":"TEST3","Created_By":"ESB","Created_Date_UTC":"2019-08-22T23:27:32.123Z","Last_Updated_By":"ESB","Last_Updated_Date_UTC":"1900-xx-20T01:11:45.35Z",]}}}}'   My current props.conf configuration: ADD_EXTRA_TIME_FIELDS=True ANNOTATE_PUNCT=true AUTO_KV_JSON=true BREAK_ONLY_BEFORE_DATE=null CHARSET=UTF-8 DEPTH_LIMIT=1000 DETERMINE_TIMESTAMP_DATE_WITH_SYSTEM_TIME=false LB_CHUNK_BREAKER_TRUNCATE=2000000 LEARN_MODEL=true LEARN_SOURCETYPE=true LINE_BREAKER=([,|[]){"Source_System": LINE_BREAKER_LOOKBEHIND=100 MATCH_LIMIT=100000 MAX_DAYS_AGO=2000 MAX_DAYS_HENCE=2 MAX_DIFF_SECS_AGO=3600 MAX_DIFF_SECS_HENCE=604800 MAX_EVENTS=256 MAX_TIMESTAMP_LOOKAHEAD=128 NO_BINARY_CHECK=true SEGMENTATION=indexing SEGMENTATION-all=full SEGMENTATION-inner=inner SEGMENTATION-outer=outer SEGMENTATION-raw=none SEGMENTATION-standard=standard SHOULD_LINEMERGE=false TRUNCATE=10000 category=Custom detect_trailing_nulls=false disabled=false maxDist=100 pulldown_type=true termFrequencyWeightedDist=false     Am i missing something?  ... View more

Are you looking for splunk outage? ... View more

It will be calculated based on the amount of data being ingested at the indexer level on a 24 hr time interval irrespective of the type or source of the log. ... View more

@richgalloway Hello Sir, Can you please help me with this request, I got stuck with this issue for a long time, Please help me out.   Thanks ... View more

@woodcock  Hello sir, Can you please help me with the above question? Appreciate your help.   Thanks ... View more

Can someone help me with the steps that needs to be taken at configuration at Isilon source end and details that i need to co? I have installed the add-on on the forwarder and search head and got stuck with the configuration.   ... View more

Hi @dkolekar_splunk  Can you help me with Snow incident geographical dashboard, i have already enabled incident table and location table inputs using the add-on, but i am unable to correlate this and populate the dashboard. there is no common field between two tables like latitide, longitude or location? Did you ever faced this issue? Please help me out.   Thanks ... View more

@manojkumjha you can try setting up HEC and sending logs from Mulesoft using mulesoft cloudhub runtime. https://blogs.mulesoft.com/dev/howto/report-analytics-from-mule-runtime-using-splunk/       ... View more

@joseft I made this integration with admin level but I am not seeing any messages from Slack public channels to splunk ... View more

@3DGjos try assigning both edit_monitor and edit_tcp, it will work. ... View more

Worked for me. Thank you ... View more

Hi @joseft, i have created the slack custom app and gave the scope channels:history and using the slack app for splunk add-on, i installed it on SH and configured the data input slack:messages but i am not seeing any events from slack. while i creating the input in splunk, i gave the OAuth token, index, sourcetype and initial days to load the data. Can you please help me out on this, if anything else needs to be configured.   Thanks ... View more

@anurbhav If you are going with the route of Kinesis-Cloudwatch-HEC-Splunk then i will prefer HEC. ... View more

Following ... View more

@kfaulkner_splun @sylim_splunk  Can multiple users login and perform searches on this personalized dev/test license using admin account credentials? ... View more

@woodcock can you help me with this? ... View more