Excellent work! Thanks! There is also idea to keep those as searchable on conf archive https://ideas.splunk.com/ideas/PORTALSID-I-141    ... View more

I had the same problem and I could get rid of that error by renaming "federated.conf.spec" file from $SPLUNK_HOME/etc/system/README path. Please upvote if this helpful. Thanks, Mitesh. ... View more

When a sourcetype is depreciated, is there somewhere I can look to understand why this action was taken.  We currently make use of that sourcetype in the Splunk Add-on for Juniper v1.2.0.  In doing some testing in our Splunk Dev environment, I found out the hard way that this was the case, as nothing parsed after that upgrade. What are customers to use, what that data and parsing is still needed? ... View more

I am working on the following which gives a more complete picture. Downloading to XLS and then turning on filtering allows you to easily see OS type, ForwarderType, Version, lastIndexer communicated with, etc. index=_internal source=*metrics.log component=Metrics group=tcpin_connections | dedup hostname | table hostname, sourceIp, os, arch, fwdType, version, ssl, guid, lastIndexer, _time | sort hostname ... View more