Hi @calvinmcelroy, Splunk can read LZW, gzip, bzip2, or any other compression format that supports streaming via stdin/stdout if properly configured, so I'm surprised you had problems with logrotate. Is your configuration outside the norm? If you're running oneshot from a host with Splunk Enterprise installed, i.e. a heavy forwarder, then yes, you should have Palo Alto Networks Add-on for Splunk installed on the server. ... View more

Not sure if you are still looking into this, but I ran into a similar issue and aggregate several searches into Assets.  Either the CMDB is missing items or some other agent has additional information for an asset.   Very basic instructions: 1. Create search that returns info you want 2. https://docs.splunk.com/Documentation/ES/7.0.1/Admin/Formatassetoridentitylist for table in search. You may have to rename some fields to match 3. Save As - Report 4. Schedule it 5. Title and description 6. Settings-Lookups-lookup definitions 7. Create new definition 8. Dest App = SA-IdentityManagement 9. name it 10. File-based 11. Lookup file = name of the outputlookup csv you had in search. If it's not in the list manually re-run the saved search. 12. Open Enterprise security app 13. Configure-Data Enrichment-Asset&Identity 14. New Configuration 15. Choose source -- will be the lookup name 16 Save.   You are correct in letting Asset and Identity Management manage the merge.  You can set the rank of all of the sources on that page as well. ... View more

Another Detail - If I replace the token with username:password, the script can retrieve the search results using the sid. ... View more

Hi @calvinmcelroy, at first don't put other components on the SH, better the HF. if you want to read the edl.txt file in Splunk, you could create a monitor input that reads the edl.txt file without reference to the location. In inputs.conf: [monitor://opt/splunkforwarder/edl.txt] index = edl sourcetype = edl disabled = 0  Ciao. Giuseppe ... View more

Thank you. I will try this out.  ... View more

This is very helpful to know. Do you know if the additional metadata being extracted is counted against the quota? The Rollover Summaries count suggests that it is not.  I had a suspicion this was additional data getting added as things are being parsed, because you can see the additional fields and that must take up some space. I would guess this is why it changes from sourcetype to sourcetype and is not a consistent across all inputs. The rollover summaries also make the most sense for the license usage count. Splunk support had given me some conflicting info about with the Rollover summaries, but I am not confident in it. I have had multiple people tell me that the rollover summaries are what I should be paying attention to. It has been a bit confusing for someone new to this type of license model. Thanks for helping confirm that.  I have also found a number of messy configurations that could be adding some additional events or conflicting with each other and need cleaned up.   ... View more

Thank you both, this was helpful.  I did find at least one issue causing double events, but the problem doesn't seem to be as wide spread as I thought. Now I know how to verify this. ... View more

It turns out, the issue with my outputs.conf file was in fact creating some kind of data cloning scenario.  I changed the conf setting, and now receive the amounts of events that I would expect. This explains the duplicate events in my Scripted Input. I am hoping I might be able to find another one somewhere that would explain why these numbers are doubled.  ... View more