I recommend you consider monitoring the health status logs to see if there are any recommendations present there: SPLUNK_HOME/var/log/splunk/health.log. You can also manually trigger a Health Status Check if need be. It can help identify conditions when inadequate resources are available. ... View more

Please post the URL for the sample data you are referring to. (1) Essentially _time should represent the time included within the raw audit event (when it can be determined): https://docs.splunk.com/Documentation/Splunk/6.4.0/Data/HowSplunkextractstimestamps You can convert _time as "H:MM:SS" format: index=* | eval t=strftime(_time, "%I:%M:%S") | table _time, t You can convert _time as "HH:MM:SS" format: index=* | eval t=strftime(_time, "%H:%M:%S") | table _time, t https://docs.splunk.com/Documentation/Splunk/8.0.6/SearchReference/Commontimeformatvariables Leave off the trailing pipe into table once you have confirmed that is what you wanted. ... View more

I recommend you refer to this Palo Alto TechDoc "Integrate Prisma Cloud with Splunk": https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/configure-external-integrations-on-prisma-cloud/integrate-prisma-cloud-with-splunk   ... View more