Hi When you are looking source, it said that this event is from OS auditd not from Splunk’s internal logs. This is the reason why it is in your Linux index. r. Ismo ... View more

Hi @raiqb01 , sorry but you are doing a little of confusion: ES isn't to install on Indexers and Cluster Manager, ES must be installed only on Search Head and (if you have a Search Head Cluster) on Deployer. On the Indexers  (using Cluster Manager) you must install an add-on that must be downloaded from ES installation on Search Heads. The issue that you're reporting isn't related to ES, but you should analyze your inputs add-on because the issue is probably related to the fact that you don's correctly assign the sourcetype to your logs. Look at the Linux Add-On if present. Then the Error 1 is related to a nn correct ES installation. Last: the Issue2 is related to few resources for your Indexers and Search Heads. Didì you followed the ES installation instructions (https://docs.splunk.com/Documentation/ES/7.3.2/Install/InstallEnterpriseSecurity) ? what's the reference hardware that you're using for ES (https://docs.splunk.com/Documentation/ES/7.3.2/Install/DeploymentPlanning ) ? Ciao. Giuseppe ... View more