You cannot rename the source type for data that has already been indexed. You can do some things at search time, but since that is inefficient I won't go into it. Your best bet is likely sending the data feed to a heavy forwarder, setting the source types appropriately (inputs, props, transforms), and then kicking it to the indexers. ... View more

What commonality do the failing containers have with other failing containers, and how do the differ from containers that do not fail? ... View more

Unfortunately, I will not be able to make it tomorrow. I have some prior commitments I have to attend to however, I will be there in spirit! Y'all have fun and have a beverage for me. ... View more

Nothing wrong with that, without specific questions all I can really recommend is reading the Splunk Docs pertaining to the specific questions you have. There are a plethora of .conf talks out there about many of these topics too. Some of them are a bit dated, but their theories still ring true. ... View more

Do you have any specific questions or issues you're experiencing with those subject areas? ... View more

Do you have any specific areas of the Advanced Power User you're struggling with? ... View more

@robcgaskins,  First and foremost, welcome to the San Antonio Splunk Usergroup! We are excited to see new members jumping in to get their hands dirty with Splunk. There are some great resources available for folks going through their Splunk inauguration. Attached to this post I have shared Splunk's Fast Start Program. This is a brief PDF outlining the different courses available through Splunk Education to get you and your team up and running. I got my start with Splunk running through their self-taught and eventually virtual classes and can't recommend them enough. You can also check out the other courses available from Splunk Education here: https://www.splunk.com/en_us/training.html?sort=Newest As always, if you have any specific topics you'd like some assistance with please post here on these forums and we can all try and tackle the problem together. I look forward to meeting you and discussing things further as we grow the San Antonio Splunk User Group together! Very respectfully, Charles (Atriarc) ... View more

Awesome! Let me know how I can help. Looking forward to regrowing the San Antonio User Group! ... View more