Yes, that could be. Anyway, thank you very much for the help @FelixLeh  ... View more

I've tried props.conf and transforms.conf both on Heavy Forwarder where the add-on is installed and on indexers with no succeed, it seems that are ignored anche all the event_type are being collected. This is the splunk doc I've followed: https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad#Keep_specific_events_and_discard_the_rest transforms.conf   [setnull_EVENT_TYPE] REGEX = . DEST_KEY = queue FORMAT = nullQueue [setparsing_EVENT_TYPE] REGEX = EVENT_TYPE\=\"LightningPageView\" DEST_KEY = queue FORMAT = indexQueue     props.conf   [sfdc:logfile] TRANSFORMS-setEventType = setnull_EVENT_TYPE, setparsing_EVENT_TYPE     This is a sample log:   2023-11-06T22:58:22.108+0000 SFDCLogType="LightningPageView" SFDCLogId="aaaa" SFDCLogDate="2023-11-06T00:00:00.000+0000" EVENT_TYPE="LightningPageView" TIMESTAMP="20231106225822.108" REQUEST_ID="TID:aaaa" ORGANIZATION_ID="aaaa" USER_ID="aaaa" CLIENT_ID="" SESSION_KEY="aaaa" LOGIN_KEY="aaaa/aaaa" USER_TYPE="Standard" APP_NAME="aaaa:aaaa" DEVICE_PLATFORM="SFX:BROWSER:DESKTOP" SDK_APP_VERSION="" OS_NAME="WINDOWS" OS_VERSION="10" USER_AGENT=""Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Edg/119.0.0.0"" BROWSER_NAME="EDGE" BROWSER_VERSION="119" SDK_VERSION="" DEVICE_MODEL="" DEVICE_ID="" SDK_APP_TYPE="" CLIENT_GEO="Italy/Rome" CONNECTION_TYPE="" UI_EVENT_ID="ltng:pageView" UI_EVENT_SOURCE="" UI_EVENT_TIMESTAMP="1699311501485" PAGE_START_TIME="1699310036553" DURATION="588.0" EFFECTIVE_PAGE_TIME_DEVIATION="false" EFFECTIVE_PAGE_TIME_DEVIATION_REASON="" EFFECTIVE_PAGE_TIME_DEVIATION_ERROR_TYPE="" EFFECTIVE_PAGE_TIME="588.0" DEVICE_SESSION_ID="aaaa" UI_EVENT_SEQUENCE_NUM="22" PAGE_ENTITY_ID="" PAGE_ENTITY_TYPE="Case" PAGE_CONTEXT="force:objectHomeDesktop" PAGE_URL="/lightning/o/Case/list?filterName=Recent" PAGE_APP_NAME="LightningService" PREVPAGE_ENTITY_ID="aaaa" PREVPAGE_ENTITY_TYPE="Case" PREVPAGE_CONTEXT="one:recordHomeFlexipage2Wrapper" PREVPAGE_URL="/lightning/r/Case/aaaa/view" PREVPAGE_APP_NAME="LightningService" TARGET_UI_ELEMENT="" PARENT_UI_ELEMENT="" GRANDPARENT_UI_ELEMENT="" TIMESTAMP_DERIVED="2023-11-06T22:58:22.108Z" USER_ID_DERIVED="aaaa" CLIENT_IP="xxx.xxx.xxx.xxx" UserAccountId="aaaa" SplunkRetrievedServer="https://aaaa.my.salesforce.com"       ... View more

Thank you very much @richgalloway ! ... View more

Hi, I have the same issue: have you ever solved the problem?   Thanks Marta ... View more

Hi SinghK, inputs.conf on indexers   [splunktcp-ssl:9997] queueSize=4MB disabled = 0 [SSL] serverCert = $SPLUNK_HOME/etc/slave-apps/certs/myserver.pem requireClientCert = true     outputs.conf on forwarder   [indexAndForward] index = false [tcpout] defaultGroup = my_indexers forceTimebasedAutoLB = true indexAndForward = false clientCert = $SPLUNK_HOME/etc/apps/certs/myserver.pem useClientSSLCompression = true [tcpout:my_indexers] disabled = false useACK = true server = idx1:9997,id2:9997,id3:9997,id4:9997,id5:9997,id6:9997     ... View more

Hi @VatsalJagani , I've tried setting  in the drill-down offset 120 instead of 2m, the search ends but runs in a wrong range: it is as if the offset is not anymore the $info_min_time$ but the time I click on drill down. Thanks anyway ... View more

Hi @harishalipaka I've tried setting earliest in the driil-down search as you suggested, but unfortunatly I got the same error 😞   ... View more

Hi @VatsalJagani, it is not possible to set that value in the Drill-down offset, a warning appears that the value must be an integer if not $info_min_time$. On the other hand, I've tried setting earliest=$info_min_time$-2m in the drill-down search  with no success since when I click on drill-down this error appears:     ... View more