You can "destream" your pipeline by inserting the table command before your lookup (either with a strict set of files or just wildcard). ... View more

Write for everyone is a bit too far 😉 ... View more

It may be complicated, but I think it's necessary.  Perhaps it could be better, though. Even if the SH did expand the query (and maybe it does) before sending to the peers, that's just a part of what the bundle is used for.  Search-time field extractions and lookups done by the indexers make the query more efficient. ... View more

Hello @MichalG1, ES requires 16 CPU, 32 GB Memory (https://docs.splunk.com/Documentation/ES/7.2.0/Install/DeploymentPlanning). However, if the ask is to update max_searches_per_cpu and base_max_searches on pre-prod environment (and not prod), you can go ahead and try doing that.   I would also suggest disabling the Data Model Accelerations, as well as, reviewing the correlation searches which are enabled by default - because the issue seems to be with the scheduler getting a lot of searches to execute at any given time (and not resources issue). You can also review the alert actions and corn schedules, through this search (and stagger cron schedule if needed) -  | rest splunk_server=local count=0 /servicesNS/-/SplunkEnterpriseSecuritySuite/saved/searches | where match('action.correlationsearch.enabled', "1|[Tt]|[Tt][Rr][Uu][Ee]") | where disabled=0 | eval actions=split(actions, ",") | rename title as "Correlation Search", cron_schedule as "Cron Schedule" "dispatch.earliest_time" as "Earliest Time" dispatch.latest_time as "Latest Time" actions as "Actions" | table "Correlation Search" "Cron Schedule" "Earliest Time" "Latest Time" "Actions"   Please accept the solution and hit Karma, if this helps! ... View more

I can login there (using my instructor account), but see 0 events (both public and invited), any way to get the access there ? Thanks @gcusello ! ... View more