Hi @chenfan , Ok, there's no requirement on the license. Anyway, the choose of install from scratch a new instance is a strange approach because you said to have a structured architecture with many servers and componente: in other words you want to start a new infrastructure, I'm not sure that you save time creating from scratch the same infrastructure and copying all the apps and configurations, but it's your choose! Ciao. Giuseppe ... View more

Hi I just found this https://community.splunk.com/t5/Getting-Data-In/How-to-configure-HTTP-Event-collector-to-log-client-source-IP/m-p/273311#M52449 I haven’t checked if this is valid also on SCP or not? r. Ismo ... View more

Hi @FAnalyst  The answers provided so far look to either look at forwarders sending data to your Splunk indexers, or look at allowlist configurations in serverclasses, however I believe you are looking for the host and IP of deployment clients when they connect? If that is the case then try the below search:   | tstats latest(_time) as lastPhoneHome WHERE index=_dsphonehome earliest=-24h latest=now by data.clientId | append [| tstats latest(_time) as lastRestart where index=_dsclient earliest=0 latest=now by data.name, data.build, data.clientId, data.splunkVersion data.package, data.hostname] | stats latest(*) AS * by data.clientId | eval lastPhoneHomeFriendly=strftime(lastPhoneHome,"%d/%m/%Y %H:%M:%S")   This was tested on SPlunk 9.3 but I believe should work from <9.2 Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped. Regards Will ... View more

Sweet, its storing the color in $color|s$ and displaying it in the "Free Space (%)" column cells now which is what I need. But it only evaluates for the first color value in the column not for each individual field value. So the whole column is a single color. Is there a way of making it evaluate for each field value? ... View more

I appreciate the reply, but this is why I am asking the question I cannot find any information about a timeout in the documentation for this. If there is no timeout that is fine, just want to know. ... View more

Hello, I am sorry. I tried many ways, but i was completly looking at examples that did not helped me This indeed solved the question. Thank you for your help. Harry ... View more

Hi We are working on a Cisco Sec+Splunk course, using the new Cisco Security Cloud App as well as coverage for the old apps like the Cisco ISE App/Add-on. In this course, we have a troubleshooting section, so for ISE, just checking if there are any ISE logs in Splunk for troubleshooting the App/Add-On   Thanks! ... View more

You are absolutely right. Splunk ran under root account. I have changed it already, but it didn't help. Normal universal forwarders works great, only Splunk servers don't change configuration. But I will handle it using ../local/ files as you suggested. Thank you,   ... View more