They did a real great mess, after 7.0, and some 8.x release 😤 Also with false in optimize_ui_prefs_performance, i'm now on 8.2.12 version, 1) optimize_ui_prefs_performance to true destroyes all old users customization on search tab ... also with optimize_ui_prefs_performance to false, 2) new ui-prefs.conf are not created anymore, only old ui-prefs are managed 3) also etc/users/launcher/local/ui-prefs.conf to remove "Explore Splunk Enterprise" banner has gone away! 4) users can't change Alerts/Reports/Dashboards object view modality (general/owner/app), since it's defaulted and reverted back to "All" next time you load the page!!! 5) seems ui-prefs is right managed only in "app/search/search|alerts|reports|dashboards" (default search App) This is really a great mess!!! 😩😰😱 Check here, https://community.splunk.com/t5/Splunk-Enterprise/quot-ui-prefs-conf-quot-no-more-working-from-Version-7-to/m-p/669361 We have had many users complain about this poor UI management!!! 🤢🙈 ... View more

Whis is as you have 2 UF on same machine. Maybe you should only increase the limits.conf,     [thruput] maxKBps = <integer> * The maximum speed, in kilobytes per second, that incoming data is processed through the thruput processor in the ingestion pipeline. * To control the CPU load while indexing, use this setting to throttle the number of events this indexer processes to the rate (in kilobytes per second) that you specify. * NOTE: * There is no guarantee that the thruput processor will always process less than the number of kilobytes per second that you specify with this setting. The status of earlier processing queues in the pipeline can cause temporary bursts of network activity that exceed what is configured in the setting. * The setting does not limit the amount of data that is written to the network from the tcpoutput processor, such as what happens when a universal forwarder sends data to an indexer. * The thruput processor applies the 'maxKBps' setting for each ingestion pipeline. If you configure multiple ingestion pipelines, the processor multiplies the 'maxKBps' value by the number of ingestion pipelines that you have configured. * For more information about multiple ingestion pipelines, see the 'parallelIngestionPipelines' setting in the server.conf.spec file. * Default (Splunk Enterprise): 0 (unlimited) * Default (Splunk Universal Forwarder): 256     Since by deault it send at 256Kb/s. I set it to 2048 for many UFs which send much data. You could also try a 0 to disable thruput control. ... View more

Turning OFF ACK may cause data-loss. ... View more

For some strange reason, in version 8.2.12 "ui-prefs" is not managed anymore by default. This is not much documented, as it should!!! 😠 To get rid of it, and get back with original ui management, we could try to edit a "local/web-features.conf"     [feature:ui_prefs_optimizations] optimize_ui_prefs_performance = false     But it's like playing the lottery, sometimes works, others not, with new apps not at all 🤦‍♂️   I don't think this is a good idea changing the bahaviour of UI so drastically. Above all, it's not documented anywhere, and we had to go around the web to understand it!!! 🤔🤔🤔🤔🤔 ... View more

The only way to reset the situation, is to manually edit the "etc/users/user/app/local/eventtypes.conf & tags.conf" "etc/apps/app/local/eventtypes.conf & tags.conf" "etc/apps/app/metadata/local.meta" and delete the objects there. And restart the Splunkd. But if you are inside a cluster, it's not much comfortable 😐 ... View more

No info at all? 🙄 ... View more

Ok with props & transforms solution. Ticking the "create mv fields", adds the MV_ADD to transforms and does the trick. I was going to prefer to only use props, but it's ok 👍👍👍 ps. the "(?g)" text in regex INLINE gives errors in regex format. Thanks all 😊 ... View more

I'll try the "?g" on beginning. I tried the "/g" at the end, but without success 😏 I prefer to only use props and not also transforms. Thanks anyway. ... View more

Mmmmm... where? 🙄😁 ... in transforms.conf? So there is no WebIf option to do it? ... View more

Sorry, no. I found those fields reading the log of Splunk itsself time ago, when i got problems with high time dispatching, and did some seaches with them. The best thing, IMO, is reading all the Splunk logs with attention, there is some data very useful. Or you can use the DMC and read the dashboards, where you can find also many interesting things. ... View more

Already installed. Just wanted to know if in official documentation, or other site, there is a full documented list. Thanks, anyway. ... View more

Right, run away, newbie 👍 ... View more

It's an old question, but i came though the same issue. You have to enable "dispatch_rest_to_indexers" for the Role to query also Indexers rest api (like Storage or any other api inside Indexers side). ... View more

Ok, try this, 1) you have 1000 Windows servers 2) any server is used/shared by a sub.Team of a Company (1 Applicative from UK, 1 Security from USA, 1 Sys.Admins from Canada) 3) so Company creates a 3 DS infrastructure which deploy each one its own addon for inputs/scripts 4) any Windows server needs 3 forwarder instances, anyone connected to its own DS (UK/USA/Canada) 5) try to install 3 forwarders, anynone in its own version (7.3 + 8.2 + 9.0) with .msi Ah... ps. 6) i install my own 3 forwarder intances with their own DS ponting in 5 minutes with my cooked zip... MY COOKED ZIP... since i can't download it from Splunk repo 😴 ... View more

Ah, ps, just for your information: you can't install a multiple instance forwarder inside Windows using the .msi setup, since it update the previous or gets an error. Using zip you can install multiple instances (i have hosts with 2 instances by default for 2 both DS, and sometimes also more than 2 without a DS but only with manual deployed TA), as it does with *nix tgz. ... View more

So, why *nix distibutable repo has its own .deb .rpm AND .tgz ? And why Windows does not? Let's talk about people that actually still think Windows is only a GUI OS? If so, those guys are IT beginners. Windows can be managed by CLI as *nix, and so Splunk!!! I repeat, i deploy tens of forwarders without having to GUI login in any Windows host. And i cooked my zip by myself, the question is: WHY SPLUNK THINKS I HAVE TO COOK ZIP BY MYSELF? 😑 Said so, i close the question. So much splunk thinks like you 😟 ... View more

Inside Windows you can manage forwarder as you manage in *nix. Installing the service is done by splunk binary, just with a "splunk enable boot-start" and the proper Splunk server name in splunk-launch.conf . It's not such difficult 🙄 I have batch scripts that deploy zip files on any machine in network, configure and start it, as i have in *nix env. So, zip files for Windows are not so unuseful!!! 😒 ... View more

2023, still no zip/7z Forwarder download for Windows Env? I have a batch script to deploy forwarders on many hosts, and i need to "cook" my forwarder zip file from an installed msi, and it works fine. Still no download for users with all older versions? 😒 ... View more