Hi @StephenD1  Does something like this help? index=_internal sourcetype=splunkd (component=DeployedApplication AND ("Checksum mismatch" OR "Installing")) OR (component=loader "Splunkd starting") OR "Restarting Splunkd" | rex field=app "(?<app>[^\.]+)\.?" | eval splunkStarting=IF(LIKE(_raw,"%Splunkd starting%"),1,0) | eval checksumMismatch=IF(LIKE(_raw,"%checksum mismatch%"),1,0) | stats values(app) as app, max(splunkStarting) as SplunkRestarted, count(checksumMismatch) as checksumMismatches by host 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

Hi @danielbb  Are you able to post a sample of the event you are working with and also how you are calling the REGEX/transform? Does this make any difference? REGEX = \}\sOnChange 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

Hi @ilhwan  I noticed back in 2022 you posted similar to this around some sourcetypes and changing the host so I just wanted to check - is there any chance there could be a conflict between these props/transforms and previous ones deployed? Are you able to check the other props.conf configs for this same sourcetype to ensure no other transforms are being applied? As far as I can tell the way you are doing it should overwrite the existing host value which makes me wonder if something else is appending it somewhere. Are you also able to confirm that there are no other search-time extractions occurring?  If you run the search in fast mode do you get the same host values (2 values per event) ? 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

Hi @alphablue  Can you confirm what you specified as the s3_file_decoder for the SQS-based-S3 input? Is this set to CustomLogs? 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

Hi @prashanthan1987  You could look at using Ingest Actions API endpoints to leverage this, this will allow you to make changes to drop certain events based on your criteria programatically using automation, but I would recommend heavily testing this first and having plenty of guardrails to ensure nobody can manipulate it to drop things that shouldnt be dropped! Check out https://help.splunk.com/en/splunk-enterprise/leverage-rest-apis/rest-api-reference/10.0/input-endpoints/input-endpoint-descriptions and specifically the '/services/data/ingest/rulesets/' endpoint, such as: curl -k https://HOST:PORT/services/data/ingest/rulesets\?output_mode=json -d name=RULESET_NAME -d sourcetype=SOURCETYPE -d rules="[ { \"name\": \"RULE_NAME\", \"action\": \"route\", \"clone\": false, \"dest\": \"DESTINATION\", \"cond\": { \"type\": \"eval\", \"expr\": \"someExpressionHere\" } } ]" 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

Hi @ws  Running Splunk as root user is generally a bad idea.  The Splunk Best Practice and Validated Architectures around syslog I would recommend reading https://help.splunk.com/en/splunk-cloud-platform/get-started/splunk-validated-architectures/getting-data-in-forwarding-and-preprocessing/syslog-data-collection and looking at using a syslog server which can store the data to files which are forwarded using a Universal Forwarder (UF) or Splunk Connect for Syslog (SC4S) If you really want to receive the data into Splunk using a UDP port at < 1024 then you might find some success by looking at adding the CAP_NET_BIND_SERVICE capability to the Splunk user. 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

Hi @Rix  Your cloud stack might take a couple of hours to be built and provisioned - Please check back on the portal and/or emails in a couple of hours to see if it appears. Once it is ready the "Access Instance" button should be clickable. 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

Hi @Benjaminthor  Do you have any Firewalls or Proxy servers between your Splunk instance and the Microsoft APIs?  Ultimately it looks like the script failed unexpectedly. Can you also check if there are any other logs produced which might have more information (e.g. index=_internal source=*o365*) 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

Hi @Ian0706  Have you got 'source' in the Selected Fields on the left hand column? If not, can you see 'source' in the Interesting Fields section? If so click on source and ensure the 'Yes' button is selected. 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing   ... View more

Hi @shashankk  I think there are a couple of ways you could do this, one being: index=test_uat (source=*/DB*/scn0*/tool/log/scan*log "realtime update") OR source=*/DB*/scn0*/tool/log/output.log | rex field=source "\/HSDB..\/(?<Instance>.*);\s" | rex field=_raw ":\d\d, \d\d\d;\s.*\/(?<vuser>.*);\s" | rex field=vuser "(?<UserId>[^/]+)$" | eval UserId=COALESCE(UserId,user_name) | eventstats values(cost_center) as cost_center values(first_name) as first_name, values(last_name) as last_name by UserId | stats count by Instance, UserId, first_name, last_name, cost_center | eval {Instance}=count | stats values(*) AS * by UserId | addtotals labelfield=UserId | fields - count Instance Another way would be to append the output.log later on, I usually try and avoid appends where possible though as they can have limitations if too many results are returned: index=test_uat source=*/DB*/scn0*/tool/log/scan*log "realtime update" | rex field=source "\/HSDB..\/(?<Instance>.*);\s" | rex field=_raw ":\d\d, \d\d\d;\s.*\/(?<vuser>.*);\s" | rex field=vuser "(?<UserId>[^/]+)$" | chart count over UserId by Instance | addtotals labelfield=UserId | fillnull value=0 | sort - Total | fields - count Instance | append [ search index=test_uat source=*/DB*/scn0*/tool/log/output.log | eval UserId=user_name | table UserId first_name last_name cost_center] | stats values(*) as * by UserId   Here is an example of the second search using makeresults data to see it in action: | makeresults format=csv data="_time,source, _raw 2026-01-21 12:00:01,\"/HSDB01/SCN01; \", \"123; /HSDB01/SCN01; realtime update:01, 111; some/other/path/MARVEL; x\" 2026-01-21 12:00:02,\"/HSDB01/SCN01; \", \"234; /HSDB01/SCN01; realtime update:02, 222; some/other/path/MARVEL; x\" 2026-01-21 12:00:03,\"/HSDB01/SCN03; \", \"345; /HSDB03/SCN03; realtime update:03, 333; some/other/path/MARVEL; x\" 2026-01-21 12:00:04,\"/HSDB01/SCN03; \", \"456; /HSDB03/SCN03; realtime update:04, 444; some/other/path/MARVEL; x\" 2026-01-21 12:00:05,\"/HSDB01/SCN03; \", \"567; /HSDB03/SCN03; realtime update:05, 555; some/other/path/MARVEL; x\" 2026-01-21 12:00:06,\"/HSDB01/SCN03; \", \"678; /HSDB03/SCN03; realtime update:06, 666; some/other/path/MARVEL; x\" 2026-01-21 12:00:07,\"/HSDB01/SCN03; \", \"789; /HSDB03/SCN03; realtime update:07, 777; some/other/path/MARVEL; x\" 2026-01-21 12:00:08,\"/HSDB01/SCN03; \", \"890; /HSDB03/SCN03; realtime update:08, 888; some/other/path/MARVEL; x\"" ```index=test_uat source=*/DB*/scn0*/tool/log/scan*log "realtime update"``` | rex field=source "\/HSDB..\/(?<Instance>.*);\s" | rex field=_raw ":\d\d, \d\d\d;\s.*\/(?<vuser>.*);\s" | rex field=vuser "(?<UserId>[^/]+)$" | chart count over UserId by Instance | addtotals labelfield=UserId | fillnull value=0 | sort - Total | fields - count Instance | append [| makeresults | eval _raw="2026-01-21 08:26:45.014 user_id=\"2143\" user_name=\"MARVEL\" first_name=\"avenger\" last_name=\"superhero\" cost_center=\"DC\"" | extract | eval UserId=user_name | table UserId first_name last_name cost_center] | stats values(*) as * by UserId   🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

Hi @klaxdal  Are you talking about individual pages loading or searches? What does your environment look like in terms of architecture/OS/Hardware? 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

Hi @splunkreal  Existing Adaptive Response Actions should should be persisted through the upgrade from ES7->ES8, however, community/custom addons arent necessarily tested by Splunk and could end with compatibility issues if they utilise any APIs or libraries within ES which are no longer available - for this reason I would recommend testing ES8 with your third party addons outside your production environment prior to upgrading to ensure there are no issues. 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

Hi @staten  Currently the transform for extracting this data from S3 access logs is aws_s3_accesslogs_extract_all_fields which has the following regex: ^\s*(?P<bucket_owner>\S+)(\s+(?P<bucket_name>\S+))(\s+\[(?P<request_time>[\w\/\s:+]+)\])(\s+(?P<remote_ip>\S+))(\s+(?P<requester>\S+))(\s+(?P<request_id>\S+))(\s+(?P<operation>\S+))(\s+(?P<key>\S+))(\s+(?:"?)(?<request_uri>[-]|([^"]+))(?:"?))(\s+(?P<http_status>\S+))(\s+(?P<error_code>\S+))(\s+(?P<bytes_sent>\S+))(\s+(?P<object_size>\S+))(\s+(?P<total_time>\S+))(\s+(?P<turn_around_time>\S+))(\s+(?:"?)(?<referrer>[-]|([^"]+))(?:"?))(\s+(?:"?)(?<user_agent>[-]|([^"]+))(?:"?))(\s+(?P<version_id>\S+))(\s+(?P<host_id>\S+))?(\s+(?P<signature_version>\S+))?(\s+(?P<cipher_suite>\S+))?(\s+(?P<authentication_type>\S+))?(\s+(?P<host_header>\S+))?(\s+(?P<tls_version>\S+))?(\s+(?P<access_point_arn>\S+))?(\s+(?P<acl_required>\S+))? Thankfully an additional field at the end of the log for 'source region' will not break the existing regex (See https://regex101.com/r/I5fTqF/1 ) so it should not prevent any existing extractions, but to your question around extractions needed to utilise this new field, this is something that would need to come with an updated version of the TA.  Given that this announcement came in the last few days (I also received it at the weekend) its unsurprising that the TA has not yet been updated and actually I wouldnt necessarily expect the TA to be updated until the change by AWS has been rolled out as it will need to be adequately tested against the new log format before release.  If I was you I would be tempted to log a support case with Splunk about this as they maintain and support the plugin to ensure that these changes are on their roadmap, and they might be able to give an indication as to when the changes will reach the app. 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

Hi @ubommala  If you are using 10.0.1 then you will not be able to use Custom app visualizations in Dashboard Studio as the ability/feature to use Custom Viz in Dashboard Studio was only added in 10.1 (Cloud only) and came to On-Premise in 10.2. That being said, when I tested Sunburst viz in 10.2 Dashboard Studio it didnt work correctly but I am not too familiar with the viz so perhaps I need to make some tweaks to the data. Once you've upgraded to 10.2 you should be able to use custom visualizations in Dashboard Studio 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

Hi @Opher  Can you confirm the time period you are searching for the data across when you are searching?  Are there any other indexes with data?  When you are one-shotting it will import the data at a point in time but will not continue to monitor those files (if they are changing) but the data should always exist if you search for the time period when you imported it, unless something else is configured incorrectly.  Have you made any changes to the default retention (frozenTimePeriodInSecs) for the index? 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

Hi @BRFZ  How are you sending the data to your Indexers? Did you make any changes to the ingestion when you started seeing the spike to try and reduce it? My gut feeling would be that something higher up the chain has crashed, ie the forwarder or intermediate forwarder - Are you able to see any _internal logs from the forwarder sending the data (assuming the data is sent via a forwarder)? 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

Hi @ubommala  Are you running Splunk 10.2? The App is currently listed as compatible with 10.1 but not yet updated for 10.2. Its also worth noting that Custom Visualizations in Dashboard Studio is a recent feature and some custom viz apps may not have yet been tested/updated for Dashboard Studio, so whilst they might work in 10.1/10.2 they may only work in Classic XML dashboards. There isnt a way in Splunkbase at the moment to specify if a custom Viz is compatible with both Classic and Dashboard Studio dashboards. I would suggest reaching out to the developer (chris.younger+splunkbase@gmail.com) to see if there is a fix in the pipeline.  🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

Hi @DarrenJackson  This is unusual as I have found emails such as that to be very effective, however you might find it easier to speak to someone directly - Check out https://www.splunk.com/en_us/about-splunk/contact-us.html?locale=en_us#sales which has a list of phone numbers for each region so that you can speak to the appropriate team for your area. 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

Hi @verbal_666  Keep an eye on https://advisory.splunk.com/ for any updates regarding this Vuln which will contain details around if/how mitigations should be applied to Splunk.  We are also due a maintenance update to 9.4.x imminently (10.2 was released last week). Its also worth raising a support case with Splunk directly to discuss this as they may be able to provide additional information under your contract/NDA with them. 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

Hi @richah  Is there any specific reason you dont want to use Firehose? If you are worried about the scalability then Firehose would be the best approach, in my opinion. If you want to stick to Lambda only then you could look at https://www.splunk.com/en_us/blog/platform/stream-amazon-cloudwatch-logs-to-splunk-using-aws-lambda.html which just uses a Lambda with a Subscription Filter.  🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

Hi @smithy001  I generally wouldnt remove any files from the Splunk installation without first consulting with support as it could have unexpected results - even if you do not think you are using any postgres functionality (I believe its used in Edge Processor for example) it doesnt necessarily mean that Splunk doesnt validate it or use it during startup processes etc.  The release notes/docs were just released for 10.2 (https://help.splunk.com/en/splunk-enterprise/release-notes-and-updates/release-notes/10.2/whats-new/welcome-to-splunk-enterprise-10.2) however the binaries havent been released yet, so it could be that a fix for this is to be released in 10.2 (with additional minor version for older 10.x/9.x versions shortly). Its also worth checking out https://advisory.splunk.com/ if you havent already. 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing   ... View more