While, in theory, it may be possible to have the data go to a different index, I advise against it.  First, some of the references to _internal may be hardcoded so you won't be able to change 100% of the events. Second, making such a change may have side effects such as built-in dashboards and alerts no longer working.  Finally, data written to _internal is free whereas sending to a different index will count against your license. ... View more

Hi @hethu, good for you, see next time! Ciao and happy splunking. Giuseppe P.S.: Karma Points are appreciated 😉 ... View more

Managed to solve the first part of my problem based on other forum answers, successfully managing to override CSS.  Anyone able to help me out with figuring out how to hide "split by" category and vertical stack? This solved my first problem, is there an easier/more elegant way to do this?   <row depends="$alwaysHideCSSPanel$"> <panel> <html> <style> div.viz-facet{ width: 200px !important; } text.single-result{ transform: translate(5px,0px); } .viz-panel.viz-facet-size-medium .facet-label{ font-size:14px !important; font-weight: bold !important; } </style> </html> </panel> </row>     ... View more

To help future readers, please describe the manual changes you had to make. ... View more

Understood. My suggestion would be to deploy a Heavy Forwarder on DMZ. I guess It would give you more control on inputs, routing and parsing than the Universal Forwarder. But looking at the docs, It seems to be possible to use the Universal Forwarder as intermediate. Here you have a more detailed comparison about the different types of Splunk forwarders (https://docs.splunk.com/Documentation/Splunk/8.1.0/Forwarding/Typesofforwarders#Forwarder_comparison) ... View more

You could try TIME_FORMAT = %s Reset lookahead back to 32 to see if this would have picked up the timestamp from the beginning of the line  ... View more

HI @hethu, good for you. Ciao and happy splunking. Giuseppe P.S.: Karma Points are appreciated by all the contributors 😉 ... View more

Yes, it is possible. Note, it may cause excessive CPU usage on the indexer / heavy forwarder.      props.conf and transforms.conf (most likely on indexer, but if you have the data coming to a heavy forwarder, then put the props and transforms there as well) In the transforms example below, adjust the regex to grab the field you are looking for.  For More details, see: https://docs.splunk.com/Documentation/Splunk/8.0.4/Data/Advancedsourcetypeoverrides  props.conf [<sourcetype>] TRANSFORMS-changedatasource = datasource_finder transforms.conf [datasource_finder] SOURCE_KEY = _raw REGEX = datasource=(\w+) DEST_KEY = MetaData:Sourcetype FORMAT = sourcetype::$1 ... View more

I think you can't do it. Bubble charts require three dimensions, but you have only two. See https://docs.splunk.com/Documentation/Splunk/8.0.4/Viz/BubbleChart ... View more

source="*WinEventLog:Security" sourcetype="*wineventlog:security" EventCode=4624 OR 4625 |timechart count(EventCode) by EventCode |untable _time EventCode Count |trendline sma5(Count) as trends |eventstats sum(Count) as total by EventCode ... View more