@m_zandinia  Great. It’s good to know that changing the report’s permissions fixed the issue.  ... View more

This was the fix we were looking for. I ended up using group policy preferences to add NT SERVICE\SplunkForwarer to the Event Log Readers group instead of using Restricted Groups (defining members in Restricted Groups will remove members already in the group not listed, so be cautious). ... View more

I was able to fix my issue with symbolic links, thanks to the following topic. https://community.splunk.com/t5/Deployment-Architecture/How-to-move-index-from-one-hard-drive-to-another-in-Splunk/m-p/170733 Here is the steps I did: I created two directories on each volume, like this mkdir /Splunk-Storage/HOT/HOT1 mkdir /Splunk-Storage/HOT/HOT2 mkdir /Splunk-Storage/COLD/COLD1 mkdir /Splunk-Storage/COLD/COLD2  I stopped Splunk on one Indexer. Then moved the indexes to the appropriate directories as desired mv /Splunk-Storage/HOT/testindex1 /Splunk-Storage/HOT/HOT1/testindex1 mv /Splunk-Storage/COLD/testindex1 /Splunk-Storage/COLD/COLD1/testindex1 mv /Splunk-Storage/HOT/testindex2 /Splunk-Storage/HOT/HOT2/testindex2 mv /Splunk-Storage/COLD/testindex2 /Splunk-Storage/COLD/COLD2/testindex2 It took no time of course. Then I created symbolic links just like this ln -s /Splunk-Storage/HOT/HOT1/testindex1 /Splunk-Storage/HOT/testindex1 ln -s /Splunk-Storage/COLD/COLD1/testindex1 /Splunk-Storage/COLD/testindex1 ln -s /Splunk-Storage/HOT/HOT2/testindex2 /Splunk-Storage/HOT/testindex2 ln -s /Splunk-Storage/COLD/COLD2/testindex2 /Splunk-Storage/COLD/testindex2 Then I started Splunk. At this point, Splunk remained unaware of the changes occurring on the underlying file system, yet it continued to function, with the actual data now residing in the correct path. After repeating this process on all indexers, I proceeded to modify the indexes.conf on CM and pushed the changes. After checking that everything is correct, I removed the soft links. ... View more

Thanks @PickleRick  Yes, I know the tricky part is how I shrink my underlying filesystem because at the end of the day it's about the space must be free and available at the hypervisor level. ... View more

If you have indexer cluster bucket should have GUID on name like this:  db_1641702441_1641656220_301_C7FC9055-53C4-4411-99E8-98FF5BA9E5E3 GUID of indxer you can find in instance.cfg file. ... View more

Thanks @gcusello Is works perfectly when I set it on indexers.  I set those settings on UF and because of that it didn't work. ... View more

below solution might help you  https://community.splunk.com/t5/Splunk-Search/Looking-for-better-alternative-to-checking-a-windows-service/m-p/357970     ... View more

Let's see in the docs: maxVolumeDataSizeMB = <positive integer> * If set, this setting limits the total size of all databases that reside on this volume to the maximum size specified, in MB. Note that this it will act only on those indexes which reference this volume, not on the total size of the path set in the 'path' setting of this volume. In other words, the limit for your COLD volume limits only cumulative size of databases directly referencing this volume. The _splunk_summaries volume has its own independent limit. So effectively you may grow your /Splunk-Storage/COLD directory up to 4674000MB (probably a bit more, considering some metadata overhead and so on) ... View more

Thanks for your time. It's worked perfectly. Just I have a misspelling in my post. I've corrected it so you do. MAX_TIMESTAMP_LOOAKAHEAD = 16 MAX_TIMESTAMP_LOOKAHEAD = 16 ... View more

Hi @m_zandinia, glad to help you, but take in consideration my hint to involve a Splunk Architect or Splunk PS: you haven't a basic requirement, it's a relevant one! Tell me if I can help more, otherwise, please, accept the answer for the other people of Community. Ciao and happy splunking. Giuseppe ... View more