If both indexers will be receiving HEC data (very likely) then both must have the same set of HEC tokens.  Do that by putting the tokens in the inputs.conf file in an app on the CM and deploying it in the cluster bundle. ... View more

The TRUNCATE setting applies to the first full instance of Splunk (HF or indexer) that the data passes through.  TRUNCATE=0 should accept events of any length.  What makes you think it isn't "enough"? ... View more

I recommend using the SA-cim_vladiator (https://splunkbase.splunk.com/app/2968) app to confirm your data is CIM-compliant.  Add EVAL and FIELDALIAS settings to props.conf to create CIM-compliant fields as needed.  ... View more

Which TA(s) are you using?  Splunk is unlikely to parse the logs out-of-the-box so you'll need a TA from Splunkbase or one of your own.  The "Cisco Security Cloud" app (https://splunkbase.splunk.com/app/7404) looks promising. ... View more

15TB should be enough at 300GB/day.  Double-check the max_cache_size, min_free_space, and eviction_padding settings to ensure the entire space is available. ... View more

Make sure the Network Traffic DM is scanning the index that contains the Fortigate data (there's a macro for it). Also, make sure the Fortigate events are CIM-compliant.  If the data doesn't use CIM fields it won't appear in the DM. Run the data model's constraint manually in a search (in the ES app) to confirm the events are found and the proper fields are extracted. ... View more

Don't use sourcetypes to integrate data into a data model and DON"T modify a data model. Instead, use tags to integrate the data into the DM.  The DM will search specified indexes for events with specific tags.  In the case of the Network Traffic model, the tags are 'network' and 'communicate'.  Ensure the Fortigate data has those tags and it will become part of the DM. ... View more

You tried doubling the escape characters in the pattern, but did you try it in the replacement? <eval token="nav_chart_mode">replace($value$, "(\\w*)\\|(\\w*)", "\\2")</eval> ... View more

Splunk does not issue patches nor should you try to patch or upgrade the instance of OpenSSL that ships with Splunk. Splunk should include the fixed version of OpenSSL in an upcoming release. ... View more

Why do you want heavy forwarders?  It's usually better to have the UFs send directly to the indexers. ES should run on its own search head, unless it's busy enough to need a SHC.  If so, you should have a separate SHC for adhoc searches and other non-ES uses. I would create new instances from scratch (this is required for an SHC) and keep the standalone SH for historical searches using Federated Search.  As you create the instances, copy their settings from the AIO instance. You'll probably find you'll need to refactor your apps when you copy them from the AIO to the clusters.  There will be settings needed by indexers and not by SHs and vice-versa. UFs can be repointed to the new indexers as soon as the new environment is ready for use. For details about migrating to a SHC, see https://help.splunk.com/en/splunk-enterprise/administer/distributed-search/9.4/deploy-search-head-clustering/migrate-settings-from-a-standalone-search-head-to-a-search-head-cluster Similar concepts apply to migrating an AIO instance to an indexer cluster.   ... View more

The hotlist_recency_secs setting does not prevent a bucket from being evicted from the cache.  The goal is to keep the bucket in the cache for (at least) that long, but other demands on the cache may force an early eviction. We can't tell is 15TB is enough cache space without knowing the ingestion rate.  For example, at 1TB/day, it would only hold 15 days of data. ... View more

Null is not the same as "null".  The former is the absence of a value while the latter is a specific literal string.  The isnull() function tests if the given field has no value. If a lookup command fails to find a match then the OUTPUT fields will be null (empty). ... View more

I see that happen a LOT.  It's usually because the TIME_FORMAT string does not account for the time zone in the event, but you say you've done that.  Here are some things to check props.conf settings are correct, including attribute spelling and regular expressions Props are installed on the right instance(s) Props are not overridden by settings in other apps.  Use btool to check that. Instances are restarted after making props changes. Props in sourcetype stanzas are not overridden by props in host:: or source:: stanzas ... View more

You're unlikely to find a Splunk manual for cloud migration since doing so is not a DIY project.  I know of only one customer who has migrated to Splunk Cloud without help from Professional Services. This blog entry should help a little: https://www.splunk.com/en_us/blog/learn/cloud-migration.html ... View more

For instructions on how to upgrade Splunk Enterprise, read the fine manual at https://help.splunk.com/en/splunk-enterprise/get-started/install-and-upgrade/9.4/upgrade-or-migrate-splunk-enterprise/how-to-upgrade-splunk-enterprise The choice of which version to install is yours.  I recommend a later version of 9.4.x.  This will help you prepare for Splunk 10 without the risk of the same. IMO, the risk of upgrading usually is less than that of not upgrading and being on an unsupported version.  Splunk 10 is an exception since it contains many breaking changes for which careful planning is recommended. ... View more

I'll presume by "BU separation" you mean preventing one BU from seeing/accessing the data and objects owned by other BUs.  This is accomplished in Splunk Enterprise and Splunk Cloud by role-based access control (RBAC).  Each BU gets their own set of roles and only those roles may access the BU's data/objects. I can't speak for Splunk Observability Cloud, but it probably has a similar feature. ... View more

What exactly are you trying to do?  Splunk Cloud and Splunk Observability Cloud are two different products so they already are "separated". ... View more

Submit a case to Splunk Support and hope for the best.  User management is the customer's responsibility, not Splunk's so they may not be able to help. ... View more

The TIME_FORMAT setting must be on the first full Splunk instance that receives the data.  That's usually an indexer, but could be a heavy forwarder.  The TZ should be on the UF.  Both instance types must be restarted after changing a props.conf file before the change will take effect. Changes to TIME_FORMAT, TZ, and other props settings will not change events that are already indexed.  They only affect new data as it arrives. ... View more

The TIME_FORMAT setting doesn't match the data.  Try TIME_FORMAT = %Y-%m-%dT%H:%M:%S%:z   ... View more

Is there a typo in the message or are you really running Splunk 7?  If you are then that's a likely source of the problem.  Try upgrading to a supported version of Splunk. ... View more

If the searched-for strings are in a known field then you can use that field in the stats command. index=myindex ( "Sign-up experience experiment not allowed" OR "Sign-up experience experiment allowed" OR "experiments.1" ) | stats count by foo OTOH, if the strings can be anywhere then it gets more involved.  We need to create a field for the stats command to use. index=myindex ( "Sign-up experience experiment not allowed" OR "Sign-up experience experiment allowed" OR "experiments.1" ) | eval foo=case(searchmatch("Sign-up experience experiment not allowed"),"Not allowed", searchmatch("Sign-up experience experiment allowed"), "Allowed", searchmatch("experiments.1"), "Experiments", 1==1, "Other" ) | stats count by foo ... View more