The solution depends on which HEC endpoint you're using.  If you're using the event endpoint then props  are ignored and the timestamp must be in epoch format. See https://help.splunk.com/en/splunk-enterprise/get-started/get-data-in/10.0/get-data-with-http-event-collector/http-event-collector-rest-api-endpoints for details. ... View more

Thanks for clarifying. DS lets us rotate the labels on the X axis, but we do not have the ability to rotate the values over each column.   Consider submitting a request for that feature at https://ideas.splunk.com See https://help.splunk.com/en/splunk-enterprise/create-dashboards-and-reports/dashboard-studio/10.0/visualizations/bar-and-column-charts#column-chart-options-0 for the available options. ... View more

A vertical bar chart is called a column chart in Splunk.  Choose that visualization type in your dashboard. ... View more

Run the base search interactively and notice the fields produced.  You should see the timechart fields don't match those expected by stats. I suggest changing the base search to stop immediately before the timechart command.  Then have two chained searches - one for timechart and one for stats. ... View more

Deduplication at ingest time is tricky bordering on impossible.  Duplicate events may follow different paths and so be undetectable until search time.  Even if they follow a common path, they may be sufficiently far apart that the EP/IP worker can't detect the duplication.   ... View more

It's highly unusual for users to be providing certificates to Splunk admins for installation.  Usually, the admin creates the certificate. Instructions for preparing certificates for Splunk are in the Admin Manual. I'm not aware of any tool/command that will tell you if a certificate file is correct or not.  You can use openssl to examine the file, but it's up to you to make sure the file was built as it should be.  If you do use openssl, be sure to use the version provided by Splunk. ... View more

We need some more information. Are all location using the Splunk Universal Forwarder?  If not, that is what they should be using. Is the Intermediate Forwarder a heavy forwarder or universal forwarder? Where did the queue blocking occur? Where did you make the changes to server.conf and limits.conf?  Did you restart each Splunk instance after making the changes? What inputs are enabled on the location with high CPU usage?  Which TAs/apps are installed there? ... View more

Reading data from Splunk Cloud via the REST API is not possible with a free trial account. The best workaround is to install Splunk Enterprise in a private cloud server and test the API calls against that. ... View more

Contact Splunk Support.  They should be able to provide the desired version. ... View more

The documentation is correct.  Splunk Cloud free trials do not have access to the REST API.  That means calls to the API are not possible until the account converts to a paid one. What problem are you trying to solve?  Perhaps there is another way. ... View more

Timestamps issues are uncommon in _internal. Splunkd.log will show indexer restarts. Restarting does not clear the health status.  That usually takes 24 hours. Use btool to view the default index settings. $SPLUNK_HOME/bin/splunk btool indexes _internal | grep "system\/default" Btool also can show overrides of default settings.   ... View more

If both indexers will be receiving HEC data (very likely) then both must have the same set of HEC tokens.  Do that by putting the tokens in the inputs.conf file in an app on the CM and deploying it in the cluster bundle. ... View more

The TRUNCATE setting applies to the first full instance of Splunk (HF or indexer) that the data passes through.  TRUNCATE=0 should accept events of any length.  What makes you think it isn't "enough"? ... View more

I recommend using the SA-cim_vladiator (https://splunkbase.splunk.com/app/2968) app to confirm your data is CIM-compliant.  Add EVAL and FIELDALIAS settings to props.conf to create CIM-compliant fields as needed.  ... View more

Which TA(s) are you using?  Splunk is unlikely to parse the logs out-of-the-box so you'll need a TA from Splunkbase or one of your own.  The "Cisco Security Cloud" app (https://splunkbase.splunk.com/app/7404) looks promising. ... View more

15TB should be enough at 300GB/day.  Double-check the max_cache_size, min_free_space, and eviction_padding settings to ensure the entire space is available. ... View more

Make sure the Network Traffic DM is scanning the index that contains the Fortigate data (there's a macro for it). Also, make sure the Fortigate events are CIM-compliant.  If the data doesn't use CIM fields it won't appear in the DM. Run the data model's constraint manually in a search (in the ES app) to confirm the events are found and the proper fields are extracted. ... View more

Don't use sourcetypes to integrate data into a data model and DON"T modify a data model. Instead, use tags to integrate the data into the DM.  The DM will search specified indexes for events with specific tags.  In the case of the Network Traffic model, the tags are 'network' and 'communicate'.  Ensure the Fortigate data has those tags and it will become part of the DM. ... View more

You tried doubling the escape characters in the pattern, but did you try it in the replacement? <eval token="nav_chart_mode">replace($value$, "(\\w*)\\|(\\w*)", "\\2")</eval> ... View more

Splunk does not issue patches nor should you try to patch or upgrade the instance of OpenSSL that ships with Splunk. Splunk should include the fixed version of OpenSSL in an upcoming release. ... View more

Why do you want heavy forwarders?  It's usually better to have the UFs send directly to the indexers. ES should run on its own search head, unless it's busy enough to need a SHC.  If so, you should have a separate SHC for adhoc searches and other non-ES uses. I would create new instances from scratch (this is required for an SHC) and keep the standalone SH for historical searches using Federated Search.  As you create the instances, copy their settings from the AIO instance. You'll probably find you'll need to refactor your apps when you copy them from the AIO to the clusters.  There will be settings needed by indexers and not by SHs and vice-versa. UFs can be repointed to the new indexers as soon as the new environment is ready for use. For details about migrating to a SHC, see https://help.splunk.com/en/splunk-enterprise/administer/distributed-search/9.4/deploy-search-head-clustering/migrate-settings-from-a-standalone-search-head-to-a-search-head-cluster Similar concepts apply to migrating an AIO instance to an indexer cluster.   ... View more

The hotlist_recency_secs setting does not prevent a bucket from being evicted from the cache.  The goal is to keep the bucket in the cache for (at least) that long, but other demands on the cache may force an early eviction. We can't tell is 15TB is enough cache space without knowing the ingestion rate.  For example, at 1TB/day, it would only hold 15 days of data. ... View more