Hi everyone, I'm currently working with Splunk Enterprise Security and running into an issue when trying to enable multiple content management rules at once. In the Content Management section (Security Content → Content Management), I select multiple detections/rules and attempt to enable them using Edit Selection → Turn On. However, the rules are not getting activated as expected. Steps I followed: Navigated to Enterprise Security → Content Management. Selected multiple content items using the checkboxes. Clicked Edit Selection. Chose Turn On to activate the selected rules. Issue: The selected rules do not get enabled, or the action does not apply to all selected rules. Environment Details: Splunk Enterprise Security version: (add your version here) Splunk Enterprise version: (add your version here) Content type: Mostly Event-based detections / analytic stories What I want to achieve: I want to bulk enable multiple content management rules instead of enabling them one by one. Questions: Is there any limitation on bulk enabling rules in Content Management? Are there any required permissions or configurations needed for this action? Is there an alternative method (e.g., via search, API, or configuration) to enable multiple detections at once? I've attached a screenshot for reference. Any guidance or suggestions would be greatly appreciated. Thanks! ... View more

Hi Team, I’m looking for guidance on designing a Splunk SIEM ingestion strategy for the following scenario: We receive logs from multiple heterogeneous data sources (network devices, applications, servers, cloud services, etc.). Due to storage and licensing constraints, we do not want to fully index and parse all incoming data. Our requirement is: Only index and parse the fields required for compliance use cases (e.g., specific events and fields) Store the remaining raw log data without parsing Ensure the retained raw data is available for audit or forensic purposes if required later I would like expert recommendations on the best architectural approach to achieve this. Specifically: What is the recommended method to: Filter events before indexing? Route different data streams to separate indexes? Store non-parsed logs efficiently? Should we use: props.conf and transforms.conf for event filtering? NullQueue routing for unwanted events? Heavy Forwarders for preprocessing? SmartStore for raw data retention? What is the best practice for: Index-time vs search-time field extraction in this use case? Minimizing indexed data volume while maintaining compliance integrity? Licensing concern: If we store the full raw data in Splunk but do not parse or extract fields from it, will it still consume license? Is license consumption based on ingestion volume regardless of parsing? Are there supported ways to retain data without impacting license usage? Has anyone implemented a similar design in a production SIEM environment? What challenges should we expect? Any architecture guidance, configuration examples, or real-world lessons learned would be greatly appreciated. Thanks in advance! ... View more

My Core Problem is- Log categorization Log prioritization License optimization Your main constraint:  Splunk SIEM license limited to 50 GB per day The major challenge is that informational and operational logs consume a large portion of the license, leaving limited capacity for high-value security logs.  What I Need to Achieve I need to: Categorize logs across multiple device types (Windows, Linux, AD, Firewalls, Proxy, VPN, PAM, IDS/IPS, etc.) Prioritize logs into: MUST (critical for detection) OPTIONAL (use-case driven) EXCLUDED (non-security / high-volume noise) Control ingestion so that: Only security-relevant logs are indexed Informational logs do not exhaust license Detection capability is preserved The 50GB/day limit is sustainable Clearly document: What is collected What is not collected Why each decision was made How inclusion/exclusion is technically implemented Where filtering should occur (Device vs UF vs HF vs Indexer) Architectural Clarification I Needed I wanted clarity on: Whether logs should be filtered at the device level or Splunk layer The role of Universal Forwarder vs Heavy Forwarder The Real Underlying Issue Your environment likely generates far more logs than 50GB/day can handle if: Firewall allow logs are fully enabled Proxy full browsing logs are ingested Full Windows auditing is enabled Informational logs are not filtered So my real problem is: How to design a detection-focused SIEM model under strict license constraints without breaking visibility. ... View more