I’m running into an unexpected behavior with the Network_Traffic datamodel. Here’s the configuration: allow_old_summaries = true allow_skew = 0 backfill_time = -300s cron_schedule = 2-59/5 * * * * earliest_time = -2h hunk.compression_codec = - hunk.dfs_block_size = 0 hunk.file_format = - manual_rebuilds = true max_concurrent = 3 max_time = 14400 poll_buckets_until_maxtime = false schedule_priority = higher workload_pool = -   According to the settings, I would expect the accelerated summaries to be limited to a 2-hour window (earliest_time = -2h), but when I query the datamodel I still see events much older than that  in fact, some are even 1000+ days old. From what I understand: earliest_time should define the time window for acceleration and summaries. If I query the base indexes directly, the data matches expectations. Only the datamodel acceleration seems to be including much older data. Have you ever experienced this issue? Could this be related to backfill behavior, the allow_old_summaries = true setting, or perhaps the way the datamodel was originally accelerated?   Any insight would be very helpful. ... View more

Hello everyone, I have an app on one of our Heavy Forwarders that is supposed to route traffic: All events go to our indexer cluster (my_peers_nodes) If the index is  customers_index , events should also be forwarded to two additional Heavy Forwarders (customers_to_tel). Here is the configuration: outputs.conf [tcpout:customers_to_tel] disabled = false server = 10.x.x.177:9997,10.x.x178:9997 props.conf [default] TRANSFORMS-routing = allRouting transforms.conf [allRouting] SOURCE_KEY= _MetaData:Index REGEX= customers_index DEST_KEY= _TCP_ROUTING FORMAT= my_peers_nodes,customers_to_tel The problem is: Some sourcetypes with index=customers_index are correctly forwarded to the additional Heavy Forwarders. But other sourcetypes with the same index=customers_index remain only on our Splunk environment and are not being forwarded to the additional Heavy Forwarders. So the routing works partially depending on the sourcetype. My questions are: Why would events with index=customers_index not always match the transforms.conf rule? Is it possible that _MetaData:Index is not always available on the Heavy Forwarder if events are already cooked? What is the best practice to ensure all events with index=customers_index are also forwarded to the extra Heavy Forwarders? Thanks in advance for your help! ... View more