@Komal0113  Certainly! If the IDP certificate setup isn’t working as expected, you can create your own certificate for SAML configuration in Splunk. Here are the steps to achieve this: https://docs.splunk.com/Documentation/Splunk/9.2.0/Security/Howtoself-signcertificates    ... View more

1. Search head is the component which spawns searches against indexers which hold the already indexed data. So I assume you meant that you're sending data in some format but it's getting improperly split into events. 2. Sending raw tcp or udp data stream directly to a Splunk component is not the preferred way to go (for several reasons which I will not dig into at this point). 3. What do these events look like on the wire? I'm not 100% sure but I think they might get split at datagram boundary regardless of other settings. 4. Your "split" set of events contains a second event which is _not_a part of the original event. A typo in preparation of the mockup data? ... View more