Dear Team,   Need your expert advice. a. Indexer Cluster - Is it feasible to separate the replication of indexer peers among the peers themselves? Illustration: Within the indexing cluster, the Master is associated with indexer peers A, B, C, and D. My aim is to ensure that the development data being forwarded to A is exclusively replicated with B. Likewise, the production logs should only be replicated among C and D. It's essential that the data between C and D, as well as A and B, remain non-replicated. Is this solution attainable? Br, Prasad V ... View more

Dear Team, We have configured the Splunk OTEL collector to collect logs from OpenShift environment namespaces and Pods and send them to Splunk Enterprise using HEC (HTTP Event Collector). However, we are experiencing unusual behavior with the values.yaml configuration when it comes to collecting audit logs. logsCollection: extraFileLogs: filelog/audit-log-kube-apiserver: include: [/var/log/kube-apiserver/audit.log] start_at: beginning include_file_path: true include_file_name: false resource: com.splunk.source: /var/log/kube-apiserver/audit.log host.name: 'EXPR(env("K8S_NODE_NAME"))' com.splunk.sourcetype: kube:apiserver-audit I'm having an issue with the OTEL collector Pod. Whenever I restart it, it starts ingesting data from the beginning instead of resuming where it left off. I've tried modifying the "start_at" option by setting it to "current," but that didn't work. I also attempted removing the key-value pair, but it didn't solve the problem. I would greatly appreciate any assistance in resolving this matter. ... View more

Dear Team, Below is the raw log for your reference: {"kind":"Event",*******************,***,"stageTimestamp":2023-05-16T11:25:19.603580Z} I have created a props.conf with the respective sourcetype and below for your reference: [kube:apiserver-audit] LINE_BREAKER = ([\r\n]+) NO_BINARY_CHECK = true TIME_PREFIX = stageTimestamp\"\:\" TIME_FORMAT=%Y-%m-%dT%H:%M:%S.%6N SHOULD_LINEMERGE=false MAX_TIMESTAMP_LOOKAHEAD=27 However, when I check in Splunk time stamp is not parsed correctly. Any help here would be much appreciated.   Br, Prasad V ... View more