Good day Splunkers , We have a Data flow coming from the source A to Kakfa Topic. Splunk Connector on the kafka using HEC  Token to forward data from the Kafka Topic to Splunk HF.  Sourcetype if specified  while configuring the HEC. This source event has huge volume , and have many key-value pairs , To Manage the High  ingestion Volume , I need to apply truncate feature on all these events  at the heavy forwarder layer before it reaches indexing layer. Is it possible to choose only selected fields from these events and have them indexed ? is it possible to use script applied on the source type to format the data which is coming from HEC input at the HF level ? ... View more

While checking for the historical data for one of the KPI's in one of my glasstable 's  , it showed the latest alert_value for the global time range selected ,   tile is a single value visualization. but my itsi_summary has multiple Alert_value values, which is updated by my KPI base search running every 5 min .  my global time range : 1 hour. glasstable tile is showing latest alert_value value from the 55 min to 60 min run data.  but idealy it should aggregate all the alert value according to service on alert_value and show final value in the tile (single value) ... View more