@koyachi Usually we use Splunk’s Monitoring Console and _internal metrics searches to pinpoint which hosts or pods and sourcetypes are causing ingestion bursts, and which queues are saturating.  You can try with below searches to identify hosts with sudden spikes in data volume. You can also use "group=per_sourcetype_thruput" to identify per sourcetype. index=_internal group=per_host_thruput | timechart sum(kbps) by host Please use the below reference links especially the Splunk lantern link would be useful. Ref: Performance tuning the indexing tier - Splunk Lantern Indexing: Performance | Splunk Enterprise (last updated 2026-01-09T19:16:30.328Z) Troubleshoot inputs with metrics.log | Splunk Enterprise (last updated 2025-07-04T12:39:08.534Z) >> If this post addressed your question, you can: Give it karma to show appreciation 👍 Mark it as the solution if it solved your issue ✔️ Add a comment if you’d like more details ✏️ Acknowledging helpful answers keeps the community strong and motivates contributors to continue sharing their expertise. >> ... View more

@malisushil119  You can verify the licenseMasterURI setting in server.conf file under [license] stanza to verify whether the indexer points to the active LM. The above setting connects the peers with LM node. You may also run splunk list licenses on the LM node to confirm the license is valid and loaded. To list all the license peers that have contacted the license manager, you can run: splunk list licenser-peers Review the below reference for additional commands you can run using CLI. You can also rule out any connectivity issues on port 8089 from Indexer node to LM using curl commands. curl -k https://<your-lm-host>:8089 Ref:  Manage licenses from the CLI | Splunk Enterprise (last updated 2025-07-04T13:21:06.140Z) server.conf - Splunk Documentation >> If this post addressed your question, you can: Give it karma to show appreciation 👍 Mark it as the solution if it solved your issue ✔️ Add a comment if you’d like more details ✏️ Acknowledging helpful answers keeps the community strong and motivates contributors to continue sharing their expertise. >>   ... View more

@malisushil119 Since it was previously working, what was changed in between? Like a version upgrade or something you performed. Did you check splunkd.log file on affected indexer to see for any license related errors? You may try restarting one license peer node in error state to see if it re-sync with active LM and clears the quarantine? >> If this post addressed your question, you can: Give it karma to show appreciation 👍 Mark it as the solution if it solved your issue ✔️ Add a comment if you’d like more details ✏️ Acknowledging helpful answers keeps the community strong and motivates contributors to continue sharing their expertise. >>   ... View more

@Poojary Could you clarify whether you’re trying to pull search results or metadata like dashboard XML? That will determine which REST endpoint you should target to fetch the information from Splunk. You may review the Endpoint reference list for the specific information you are trying to fetch. Ref: Endpoints reference list | Splunk Enterprise (last updated 2025-07-04T01:32:55.970Z) >> If this post addressed your question, you can: Give it karma to show appreciation 👍 Mark it as the solution if it solved your issue ✔️ Add a comment if you’d like more details ✏️ Acknowledging helpful answers keeps the community strong and motivates contributors to continue sharing their expertise. >> ... View more

@malisushil119 From your query, I guess you have a multisite cluster with separate License Managers per site. Can you confirm if your goal is to run them independently, or are you trying to achieve HA with a single LM behind a failover mechanism?  >> If this post addressed your question, you can: Give it karma to show appreciation  Mark it as the solution if it solved your issue  Add a comment if you’d like more details  Acknowledging helpful answers keeps the community strong and motivates contributors to continue sharing their expertise. >> ... View more

@Srubhi The correct syntax in Dashboard Studio drilldown event handlers is row.REGION.value. You must reference the .value property of the field in the row object. This ensures that when a user clicks on a marker, the actual value of the REGION field is assigned to the token. So, in your JSON, the event handler should be modified as below: ...................... "eventHandlers": [ ........... "tokens": [ { "token": "REGION", "key": "row.REGION.value" } ] ] Ref: Setting tokens on a visualization click | Splunk Enterprise, Splunk Cloud Platform (last updated 2026-03-06T19:50:02.985Z) >> If this post addressed your question, you can: Give it karma to show appreciation 👍 Mark it as the solution if it solved your issue ✔️ Add a comment if you’d like more details ✏️ Acknowledging helpful answers keeps the community strong and motivates contributors to continue sharing their expertise. >> ... View more

@beataficek Did you try using Dashboard studio which will make things easier for you? ... View more

@jamesdsteel Verified the hash for v10.2.0 for the add-on matches with the downloaded file and no issues observed from my end. The file is being downloaded as .tgz and not .tar file.  >> If this post addressed your question, you can: Give it karma to show appreciation 👍 Mark it as the solution if it solved your issue ✔️ Add a comment if you’d like more details ✏️ Acknowledging helpful answers keeps the community strong and motivates contributors to continue sharing their expertise. >> ... View more

@sjain To ensure CommVault app continues to work in Splunk 10, you must validate it yourself using staging or dev tests. If issues arise, you can reach out to the app developer for an updated release.  Ref: Commvault Splunk App | Splunkbase Contact page for Commvault: Contact Us - Commvault >> If this post addressed your question, you can: Give it karma to show appreciation 👍 Mark it as the solution if it solved your issue ✔️ Add a comment if you’d like more details ✏️ Acknowledging helpful answers keeps the community strong and motivates contributors to continue sharing their expertise. >> ... View more

@duesser I guess this has nothing to do with props or limits configuration. Potentially, Add-on could be truncating it. This can be identified from debug logs for the add-on. If not enabled, you could enable it and troubleshoot it further. Particularly, you may look for the serialization errors which could point to this issue. If confirmed, please report this as bug to Splunk itself via support case as this can be fixed in the upcoming version releases. Ref: Troubleshoot issues with Splunk Connect for Kafka | Splunk Enterprise, Splunk Cloud Platform (last updated 2025-07-15T17:26:43.575Z) >> If this post addressed your question, you can: Give it karma to show appreciation 👍 Mark it as the solution if it solved your issue ✔️ Add a comment if you’d like more details ✏️ Acknowledging helpful answers keeps the community strong and motivates contributors to continue sharing their expertise. >> ... View more

@kjain041523  The lookup error indicates Splunk is attempting to run automatic lookups that reference missing or misconfigured lookup files. You can try to check the lookup definitions in Splunk Web under Settings > Lookups, confirm that the corresponding CSV files (minemeIdfeeds_src_lookup, minemeIdfeeds_dest_lookup) exist in the app’s lookups or directory. To fix the error, you may either restore the missing files or disable the lookup definitions if they are not needed.  >> If this post addressed your question, you can: Give it karma to show appreciation 👍 Mark it as the solution if it solved your issue ✔️ Add a comment if you’d like more details ✏️ Acknowledging helpful answers keeps the community strong and motivates contributors to continue sharing their expertise. >> ... View more

@viku7474 For your upgrade from Splunk 9.2, we follow n-1 (v10.0.5) version to avoid any unforeseen issues. It's recommended to ensure you go to the latest maintenance version in any case to ensure the security vulnerabilities and bugs are fixed with the latest maintenance versions. Like in your case, if you are planning for 10.2.x, go with the latest maintenance release (ie, 10.2.2) or previous version's latest release version (i.e 10.0.5) and review the known issues section to assess potential impact to your deployment.  Known issues: Splunk Enterprise 10.2.2 known issues | Platform (last updated 2026-03-09T20:32:00.181Z) Splunk Enterprise 10.0.5 known issues | Platform (last updated 2026-03-09T20:27:25.926Z) Additionally, please note that 9.2 > 10.2 requires careful planning as it's a major version upgrade and significant changes might need to be tested in your dev Splunk environment. Refer this doc before doing the upgrade. About upgrading to 10.2 READ THIS FIRST | Splunk Enterprise (last updated 2026-01-09T21:31:57.841Z) Overall Upgrade guidance:  How to upgrade Splunk Enterprise | Splunk Enterprise (last updated 2026-01-09T21:31:57.359Z) >> If this post addressed your question, you can: Give it karma to show appreciation 👍 Mark it as the solution if it solved your issue ✔️ Add a comment if you’d like more details ✏️ Acknowledging helpful answers keeps the community strong and motivates contributors to continue sharing their expertise. >> ... View more

@proficio_ajk Compatibility with Splunk v10.2 is not yet available, and no release date has been announced. You may check or post the same question in the SailPoint community wiki and forums. I would suggest to try the app functionality on version 10.2 like in a test environment or dev cloud tenant as it may work since the app has support on previous 10.x versions of Splunk. Sailpoint community: SailPoint Identity Security Cloud AuditEvent Add-on for Splunk - Installation and User Guide - Compass >> If this post addressed your question, you can: Give it karma to show appreciation 👍 Mark it as the solution if it solved your issue ✔️ Add a comment if you’d like more details ✏️ Acknowledging helpful answers keeps the community strong and motivates contributors to continue sharing their expertise. >>   ... View more

@wryanthomas You can check out with the builder of this app "Gabriel Vasseur", check out his blog site and you can contact him via me@gabrielvasseur.com. Website: Conf Manager >> If this post addressed your question, you can: Give it karma to show appreciation 👍 Mark it as the solution if it solved your issue ✔️ Add a comment if you’d like more details ✏️ Acknowledging helpful answers keeps the community strong and motivates contributors to continue sharing their expertise. >> ... View more

@Darkvader These two issues are most common in many Splunk deployments and will address them separately. For the first one, bundle replication may fail warning - usually caused by large lookup files (often CSVs) included in the search head bundle. This issue is documented in the Splunk knowledge base and refer it for solution. Solution: Distributed Bundle Replication Manager: The current bundle directory contains a large lookup file that might cause bundle replication fail | Splunk Secondly, for Orphaned Searches messages indicates there are active scheduled searches which are owned by disabled or deleted user accounts, may be a user who left the organization. The recommended resolution is to reassign ownership to an active account or disable the search if it is no longer needed. Refer: Manage orphaned knowledge objects | Splunk Enterprise (last updated 2025-07-04T01:22:43.095Z) Solution: Orphaned Scheduled Searches, Reports, and Alerts are missing. | Splunk >> If this post addressed your question, you can: Give it karma to show appreciation 👍 Mark it as the solution if it solved your issue ✔️ Add a comment if you’d like more details ✏️ Acknowledging helpful answers keeps the community strong and motivates contributors to continue sharing their expertise. >>   ... View more

@lmaclean    I see you have done decent research on it. Just sharing my thoughts on this matter. Since 8.4 is the latest ES release and couple of issues are being uncovered. It's best to maintain n-1 version always to avoid such issues. Did you tested with ES 8.3 version to see if the issue persists? If not, try it and let us know. Please review the Known issues for ES version 8.4 which might be tied to your issue. If not, report it to Splunk via support case so that it can be recorded as well. Related references:  Known issues in 8.4: Known issues | Splunk Enterprise, Splunk Cloud Platform (last updated 2026-02-04T21:32:01.448Z) Findings (notables) fail to be created after upgrading to Enterprise Security 8.0 | Splunk >> If this post addressed your question, you can: Give it karma to show appreciation 👍 Mark it as the solution if it solved your issue ✔️ Add a comment if you’d like more details ✏️ Acknowledging helpful answers keeps the community strong and motivates contributors to continue sharing their expertise. >> ... View more

@si_CE Sounds good. Thank you. ... View more

@si_CE Did you check the internal logs for any related errors? That would help us understand the issue. As per your query, I presume this is an authentication issue, which can be confirmed from the internal logs for the app/add-on input.  Please confirm your splunk enterprise version and ensure its compatibility with App version on HF. The below should be the new add on (TA) which should be installed on the HF. Input Add On for SentinelOne App For Splunk | Splunkbase >> If this post addressed your question, you can: Give it karma to show appreciation 👍 Mark it as the solution if it solved your issue ✔️ Add a comment if you’d like more details ✏️ Acknowledging helpful answers keeps the community strong and motivates contributors to continue sharing their expertise. >>   ... View more

@Kaitsu You're welcome. Let us know if you face any further issues. Thank you. ... View more

@KCW Appreciate the write up. For us, what is providing real value with AI in Splunk is writing SPL using natural language which our team members were struggling especially with complex multi join SPL queries. This feature is adding a lot of value to customers. ... View more

@Ian0706 No worries. Yes, since we don't have any workarounds published on this one yet. ... View more

@osama_11 The field extraction will only apply to events of the defined sourcetype, not globally. Could you please clarify whether you are planning to use these field extractions just for testing, or to roll them out in production? That will help to determine whether the Field Extractor is sufficient or if you should move to manual configuration management. For production roll out, it is best to manage it via props & transforms configuration files in Splunk. Refer Field extraction configuration in the documentation: props.conf | Platform (last updated 2025-07-30T21:23:14.766Z) transforms.conf - Splunk Documentation >> If this post addressed your question, you can: Give it karma to show appreciation 👍 Mark it as the solution if it solved your issue ✔️ Add a comment if you’d like more details ✏️ Acknowledging helpful answers keeps the community strong and motivates contributors to continue sharing their expertise. >> ... View more

@livehybrid / @PickleRick I meant pushing via deployer only. Updating in captain node also won't help in this case. Thanks for pointing it out. ... View more

@David_Loureiro The “Find More Apps” browser in Splunk Enterprise 10.0.2 uses Splunk’s built‑in trust store ($SPLUNK_HOME/etc/auth/cacert.pem) for outbound HTTPS calls to Splunkbase, not your custom bundle. When you replaced or redirected the trust store to include only your internal CA, you inadvertently broke validation against public roots like DigiCert, which Splunkbase relies on. The supported approach is to append your internal CA to the default Splunk CA bundle rather than override it, ensuring outbound public CA validation continues to work. In this situation, to fix it. You can try the below: Do not replace the default cacert.pem file. Append your internal CA certificate to Splunk’s existing bundle cat my_internal_ca.pem >> $SPLUNK_HOME/etc/auth/cacert.pem Keep caTrustStore = splunk,os so Splunk trusts both its own bundle and the OS trust store Restart Splunk after updating the bundle This ensures public roots (DigiCert, etc.) remain trusted while also allowing mTLS with your internal CA. Hope it helps. >> If this post addressed your question, you can: Give it karma to show appreciation 👍 Mark it as the solution if it solved your issue ✔️ Add a comment if you’d like more details ✏️ Acknowledging helpful answers keeps the community strong and motivates contributors to continue sharing their expertise. >>   ... View more