>Or is that the number of seconds in 20 minutes?  yes, 60(s)*20=1200 ... View more

Hi Chris, I would suggest you to index it the regular way unless there is very huge amount of data which will impact your license, the only thing which i would take care is to ensure the time stamp which splunk is considering. Ensure that splunk is not using the indexed time which is mess up your data which is currently being indexed. In this scenario all the data will first hit the hot bucket and basing on the bucket settings this historic data will roll over to concerned buckets accordingly. ... View more

This depends on case by case, for some of the application you require TA and app both on search heads and for some of the application only app is require. ... View more

I've got this problem, too. Disabling searches feels like a workaround. It's kinda hard to tell which ones you "need" and which you don't. You don't, for instance, need a saved search about a WSA if you don't have a WSA. But your "Top Attackers" search doesn't matter until you get attacked. ... View more

A comment transforms.conf suggest using host matching to remap sourcetype, but that changes the sourcetypes of all events emitted from that host. So, suddenly your plain-vanilla Window sourcetypes disappear. Instead, I've used the [(?::){0}sophos:*] trick in props.conf to get those CIM-compatible search-time aliases and lookups to fire. My current problem with them is that they don't exactly match the output from Reporting Log Writer anymore. When I get the field mappings working again, I'll report back here. ... View more