Hello Team, 9.4.0, thsooting prod, replicated the issue in staging, i have 1 indexer only. Performing all searches on that indexer: - when i search for "index=index1 sourcetype=mytype1" i got 0 results - when i search for "index=index1" i got 1000 results and can see all of those are of sourcetype=mytype1 - when i search for "index=index1 | stats count by sourcetype" can see 0 statistics - when looking at those events manually - all of them are of sourcetype=mytype1. - checked job inspector, all looks good, nothing special I am admin. Full access. Searching with 15 min all all time (no difference, the same results) Sourcetype "mytype1" has been created by transforms: [set_sourcetype_1] REGEX =myhost\.pl DEST_KEY = MetaData:Sourcetype FORMAT = mytype1 WRITE_META = true No other definition of that sourcetype anywhere else (should i add it somewhere ??) What is wrong ? Why can not i search by sourcetype ? Thanks, ... View more

Hello Team, Deployment with: - HF with ACK when sending to Indexer - HEC on HF with ACK - application sending events via HEC on HF with ACK Still in this model there is a chance that some of the events will be missed. Application might get ACK from HEC, but if the event is still on the HF output queue (not yet sent to the indexer) and we have non-gracefull reboot of HF (so that it could not flush out it's output queue). Can you confirm ? What would be the best way to address it ? So that once the application receives ACK we do have end to end guarantee that event is indexed ? Thanks, Michal   ... View more

Hello Team, As per https://docs.splunk.com/Documentation/Splunk/9.2.0/DistSearch/Knowledgebundlereplication "The search head needs to distribute this material to its search peers so that they can properly execute queries on its behalf" Or "The knowledge bundle consists of a set of files that the search peers ordinarily need in order to perform their searches" Could you please give me one example why we really need it ? I had the impression that to return search results to SH indexer just need SPL query and it's locally indexed data + metadata. One of my guesses for a good example were: lookup files, but i guess indexer should not need any lookup files since that job is done be search head, not indexer. The same with other KO objects like tags, event types, macros etc...-> those objects should not be needed on the indexer to perform search, those are used by search head to enrich data returned by the indexer. Another theory: we distribute those files not to help with searching, but with parsing and indexing (for example using props.conf and transforms.conf). Maybe that is the case ? Extra question: the conf files delivered in the bundle: if i do understand correctly those settings are in memory only, not modifying any existing conf files on the indexer ? But at the same modifying memory settings for (for example) index.conf ? If so - i should be able to run "splunk btool indexes list" to see something different  then "splunk show" -> to compare the diff between current configuration files versus those sent from bundle and applied in memory ? What are the best practices here ? What am i missing ? Thanks, Michal   ... View more

Hello Team, I have my training Splunk instance with ES 7.1. I have used it for training and experiments. Question: is there any "training/example" data i could use to import it there ? The point is: i do not want to configure dozens of TA's/collectors, create real labs with real cybersecurity attacks, instead would love to have a test data so i could learn/experiment/review Splunk ES capabilities. Anything ? ... View more