Hi encountered the same issue on my architecture (SH cluster and IDX cluster). I resolved the problem deploying the index configuration on both search head and indexer. In distributed environment the index must be exists on search head and indexer. ... View more

that is crazy, can we make this a future request as it fundamentally changes getting data in? ... View more

Thanks for the suggestion, I'll try that out.  Not sure how much control I have over the dynamic creation of the curl commands generated though to know whether or not I can send events that need it and not for those that don't. In my case, I'm using Splunk Connect for Syslog (SC4S).   ... View more

The explanation for this is that there is a limit on how many results can be returned in a sub-search (right-side of a join). I believe 50k results is the limit. So try to make sure your search is as narrow as possible. ... View more

Are you sending the JSON to HEC? if you want to do custom extraction at index time, make sure you use the HEC URL ending in /collector/raw.   if you use /collector (or /collector/event) endpoint, then it is probably bypassing some customizations. ... View more

In case anyone else lands here, it appears Cortex Data Lake now supports forwarding directly to Splunk  via HTTP Event Collector (HEC). https://docs.paloaltonetworks.com/cortex/cortex-data-lake/cortex-data-lake-getting-started/get-started-with-log-forwarding-app/forward-logs-to-an-https-server ... View more

Thank you. I was able to accomplish my goal using replace() ... View more

Thank you! ... View more