I'm not sure where to address the problem, but let't try here: The documentation says that Splunk sets locale basing on browser language. It's fine, however if browser is not set to English (GB) but any foreign language (i.e. Polish), Splunk sets locale to English (US). This is pretty uncomfortable, as most of the World uses different time format than US.  Is it possible to change this behaviour in Splunk settings? And could future Splunk releases use English (GB) by default? ... View more

This is my architecture: 1. A deployment server (DS) with apps within deployment-apps folder 2. Two search heads (SH) 3. Two clustered indexers (CI) 4. A number of production servers with Splunk forwarder installed (SF). I feed both SH and SF with apps on DS. SF write to CI and SH reads from CI. I need to develop a custom app to read application logs. I know that I need inputs.conf on SF and props.conf (with i.e. EXTRACT parameter set) on SH.  What is the best and proper way to do so? Create two separate apps (one for SH and one for SF)? Or use one app, but disable part of config files somehow (i.e. basing on server class)? I don't want inputs.conf to be used on SH and props.conf on SF. What about Splunkbase apps (i.e. for Apache) - how they should be different and how to maintain them? ... View more

I got a bunch of alerts and reports scheduled - unfortunately most of them are scheduled for the same time. Is it possible to automatically review and correct those times? Does Splunk enterprise security have any "collision avoidance" mechanism in order to prevent that from happening while creating new corellation searches? ... View more

Enterprise Security has a nice Glass Table feature. I'm wondering if it is possible to include it within dashboard? Or export somehow - GT right now look more like "preview" than a regular tool. ... View more

I need an action for an incident responder to send a selected event's data via email. I can define notable actions, but they will be triggered automatically when a notable is created. How can I do this manually? ... View more

User Guide for ESCU version 3.0.5 (https://docs.splunk.com/Documentation/ESSOC/3.0.5/user/ConfigureSplunkEnterpriseSecurity(ES)touseMLTK) refers to ES User Guide version 5.2.2 (https://docs.splunk.com/Documentation/ES/5.2.2/Install/ImportCustomApps#Import_add-ons_with_a_different_naming_convention) on how to install Custom Apps, in this case MLTK.  The problem is, the same ES User Guide for current ES version (6.2.0) does not exist. I tried to follow the ESCU guide and configure "App Imports Update" but was unable to edit "update_es" input. Shouldn't this be updated? What is the correct configuration of MLTK for ESCU? ... View more

I have a distributed setup of Splunk ES, with separate SH, indexers and forwarder. I set some flows (sFlow, Netflow to forwarder). However, forwarder's IP is set in a "host" field of all logs. How can I keep the original device address (i.e. an address of a router that is sending those flows). ... View more