The main catch is that administrators in both offices want complete control over their systems. That is, no one from the Head office will be able to influence the Branch system in any way and vice versa. Based on my understanding of this requirement, there is likely no other option than to have the data count twice against the license. In v8.2+ of Splunk, there is now the concept of Federated Search, but I would argue this would still "influence" the Branch system from activity initiated from the Head Office system. https://docs.splunk.com/Documentation/Splunk/latest/Search/Aboutfederatedsearch   What is the concern of the administrators of each Splunk system? If the concern is around performance, Workload Management could be explored to limit the effect searches from one system would have on the other. (https://docs.splunk.com/Documentation/Splunk/8.2.0/Workloads/Aboutworkloadmanagement) If the concern is around data access, Search Restrictions could be explored to limit access to only required data. (https://docs.splunk.com/Documentation/Splunk/8.2.0/Security/Addandeditroles#Specify_searchable_indexes_for_a_role) ... View more

The screenshot of the fields you shared contains the properties.cost and properties.quantity fields. Do the field values represent the data you want? It is possible that Azure changed the name of the fields in the raw data. ... View more

That is great to hear and apologize for misunderstanding the question you were asking. I have personally not heard of much pain from v7.3.x to v8.x, mostly from v7.2.x and prior to anything beyond v7.3.x. I look forward to seeing some other responses, have a great day! ... View more

I think there are some more questions that need to be asked around the requirements. Splunk Enterprise(if so, hosted where?) or Splunk Cloud? If it is Splunk Cloud, I imagine FedRAMP/GovCloud might be required? In either case, I believe that the data stream from Firehose to Splunk is encrypted if configured properly, whether it traverses the public internet is another question. ... View more

I think that for this use case, you can use the Splunk Enterprise trial license available in a variety of deployment factors to satisfy your requirements. This includes a simple virtual machine, AWS AMI, docker images, etc. The trial license supports all features that you describe and past versions are available as well.   https://www.splunk.com/en_us/download/splunk-enterprise.html https://splunk.github.io/docker-splunk/ https://aws.amazon.com/marketplace/pp/Splunk-Inc-Splunk-Enterprise/B00PUXWXNE ... View more

Are you able to access the On-Demand Learning content on the eLearning portal? You should be able to see the PDF used for the presentation and lab work available for download. These are watermarked for each student and should not be shared. ... View more

The documentation covers a number of vendors specifically, please refer to one if it matches your vendor. If not, generally you will find it in the authentication.conf file used in this configuration. entityId is a parameter avaialble and should be the same among members of the same SHC to use smooth single logout. Each SHC entityId used is the change you asked about.  https://docs.splunk.com/Documentation/Splunk/8.0.6/Security/ConfigureSAMLSSO#Configure_SSO_using_SAML_with_authentication.conf ... View more

I would be happy to discuss what possible alternatives there might be and that would depend on what you are looking to achieve in the end. What are you using today if anything besides what vmware might offer you in vCenter? Are you looking for perfromance metrics of the hosts and guests, along with logs or a narrower scope? Are you a current Splunk customer and if so, what does your deployment consist of today? ... View more

If you are not able to ingest data that already is produced that contains the query information, you could explore Splunk Stream to pull out the SQL query from the wire data. This could be quite the change so comparing it against enabling the trace log might be a good exercise. If the traffic is encrypted, the cert will be required to decrypt the traffic but you would be able to see the query, transaction times, etc.   The following Splunk Lantern use case is very applicable to your question as well using Splunk Stream. https://lantern.splunk.com/hc/en-us/articles/360053617474-Analyzing-wire-data-from-databases ... View more

I think the best way to answer this question is to refer you to the following Answers post by one of our senior technical writers. It will cover much more regarding an upgrade than just your question. https://community.splunk.com/t5/Installation/What-s-the-order-of-operations-for-upgrading-Splunk-Enterprise/m-p/408003 ... View more