Hello,  I have Splunk Add-on for AWS version 4.6.1 installed on a standalone search head that is running on Splunk Enterprise version 7.3.3, and running on CentOS 7.  I have a S3 bucket named, backups.  and under backups, I have two sub folders, server_test1 server_test2  I only want to ingest files from server_test1, but I am ingesting files from the both folders.  Could you tell me what I am not doing right?  here is the inputs.conf [aws_s3://server_test] aws_account = aws-instances bucket_name = backups character_set = auto ct_blacklist = ^$ host_name = s3.amazonaws.com index = test_index initial_scan_datetime = 2021-03-29T15:00:15Z max_items = 100000 max_retries = 3 polling_interval = 1800 recursion_depth = -1 sourcetype = aws:s3 disabled = 0 log_partitions = server_test1/ ... View more

We have four indexers in a cluster, single site, with RF=3 and SF=2.  We will have a maintenance that will require two indexers power down (EC2 instances), and the maintenance will last about two hours.  What will be the proper way or sequence for taking those two indexer servers power down?  Should I do splunk offline on one indexer first, power down, wait for a while, and then proceed to other indexer?  or should I do splunk offline on both servers , and power down simultaneously?   ... View more

Have anyone gotten this error message after installation, and can point me to a direction to resolve it? WARN DateParserVerbose - Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (128) characters of event. Defaulting to timestamp of previous event (Tue Dec 17 14:01:08 2019). Context: source=/opt/Firepower/splunk/etc/apps/TA-eStreamer|host=splumkhf.domain.com|cisco:estreamer:data|83258 ... View more