Hi @super_saiyan,   You can update limits.conf to change the Show Source settings.  The docs mention that results are "pruned" so while you increase the limit, you may still not get an increase in events displayed. https://docs.splunk.com/Documentation/Splunk/latest/Admin/limitsconf#.5Bshow_source.5D [show_source] distributed = <boolean> * Whether or not a distributed search is performed to get events from all servers and indexes. * Turning this off results in better performance for show source, but events will only come from the initial server and index. * Default: true distributed_search_limit = <unsigned integer> * The maximum number of events that are requested when performing a search for distributed show source. * As this is used for a larger search than the initial non-distributed show source, it is larger than max_count * Splunk software rarely returns anywhere near this number of results, as excess results are pruned. * The point is to ensure the distributed search captures the target event in an environment with many events. * Default: 30000 max_count = <integer> * Maximum number of events accessible by show_source. * The show source command will fail when more than this many events are in the same second as the requested event. * Default: 10000 max_timeafter = <timespan> * Maximum time after requested event to show. * Default: '1day' (86400 seconds) max_timebefore = <timespan> * Maximum time before requested event to show. * Default: '1day' (86400 seconds)   Cheers, Daniel ... View more

Hi @super_saiyan, I haven't an answer to this, you could open a not technical case to Splunk Support. Ciao. Giuseppe ... View more

Put the field name in double quotes (usually it is single quotes for field names but rename seems to operate differently) |rename "ops{}.steps{}.steps{}.address{}.deployment" as deployment ... View more

@super_saiyan  Glad to help you.  😀 . If the solution resolved your problem then please accept the answer to the close question. KV ... View more

That looks like it should work, but here's an alternative to try: TIME_PREFIX = \d\s+ TIME_FORMAT = %a %b %d %H:%M NO_BINARY_CHECK = true SHOULD_LINEMERGE = false ... View more

What are you trying to accomplish? ... View more

You can raise the limits of course to delay the onset of the problem a little, as others already mention. But the question is why do you have such a big mvexpand. If you're mvexpanding original events, maybe it's worth reviewing onboarding of this sourcetype. If it's because you did some huge "stats values" or something similar, maybe you should review your search and try to get to the results another way. ... View more

| eval message= if(isnotnull(message),message,case(Actor="superman","super hero",Actor="emma watson","model", true(),"NA")) ... View more

To be fully honest, I'm just guessing since the configuration looks like log4j but as far as I know splunk itself doesn't use java so there must be simply some similar framework. (and there are many very similar framework for other programming languages/environments) With log4j you have whole framework where on the one side you define logging categories and all the stuff responsible for ingesting the logged events and on the other side you define output channels (kinda like in splunk itself ;-)) - appenders. They append entries to some "storage channel" - files, network sockets for sending over to external server, console and so on. As I can see in the log.cfg in default splunk installation, it uses an appender called RollingFileAppender. This one as you can see here https://logging.apache.org/log4j/1.2/apidocs/org/apache/log4j/RollingFileAppender.html (again - it's a log4j doc whereas splunk uses something different but similar) the options here only govern file size and maximum number of backlog files. But if you configure a DailyRollingFileAppender - https://logging.apache.org/log4j/1.2/apidocs/org/apache/log4j/DailyRollingFileAppender.html - you can configure other parameters pertaining to time-based rotation. But. 1) I don't know if this appender is implemented in the library splunk uses 2) time-based rotation makes it possible for splunk to fill up the disk in case of a very "talkative" splunk operation (like some bug or something).   ... View more

Let me quote from Donald Knuth's "The Art of Computer Programming": "The real problem is that programmers have spent far too much time worrying about efficiency in the wrong places and at the wrong times; premature optimization is the root of all evil (or at least most of it) in programming." So even though some kernel tweaking might improve efficiency in some border cases, it's usually not the way to go. ... View more

Hi @super_saiyan, I never heard this sentence, my knowledge is relative only to the first 256 .chars. Ciao. Giuseppe   ... View more

Yes, It ran and solved my issue. Thank you so much as always. @gcusello  ... View more

The upgrade path lists both 8.0 and 8.1 as possible interim releases on your way to 8.2 https://docs.splunk.com/Documentation/Splunk/8.2.6/Installation/HowtoupgradeSplunk#Upgrade_paths_to_version_8.2 Remeber that with 8.1 python3 is the global default and for some uses you can switch back to python2.7 but not for all. So in general - you _should_ upgrade your apps to python3 ready if upgrading to 8.0 but you _must_ do that if upgrading to 8.1. ... View more

Hi @super_saiyan, as hinted by @PickleRick, you have to use the SEDCMD command or use props and transforms associated to the sourcetype you're using. In few words, you have to find the regex to identify the column to exclude, e.g. if you have 100 columns divided by comma ",", you could use a regex like this: in props.conf [your_sourcetype] TRANSFORMS-delete_column_80 = delete_column_80 in transforms.conf [delete_column_80] REGEX = ^(([^,]+,){80})[^,]+,(([^,]+,){19}) FORMAT = $1$2 DEST_KEY = _raw For more infos see at https://docs.splunk.com/Documentation/Splunk/8.2.6/Data/Anonymizedata Ciao. Giuseppe ... View more

You can set multiple key/value pairs in one call. See the https://docs.splunk.com/Documentation/Splunk/8.2.6/RESTREF/RESTkvstore#storage.2Fcollections.2Fdata.2F.7Bcollection.7D You're of course limited by the REST API request limits (I'm not sure how big they are). And I'm not sure why you're refering to KV-store as "events". Events are one thing and you post them to other endpoints (like /services/collector/event), KV Store is another thing. ... View more

Hi with @VatsalJagani you can check what splunk is currently used, after it has restarted/reloaded. Then with  splunk btool server list --debug You can see what you have configured on disk and from where it takes those into use after restart. This is useful to understand why some settings are not in use event you have put those on ("wrong") config file 😉 r. Ismo  ... View more

Hi @super_saiyan, I haven't any experience on Kubernetes, sorry, but I trust what was said by @PickleRick . Sorry I can't help you more! Ciao. Giuseppe ... View more