Thanks @richgalloway @livehybrid .. appreciating your help with karma points. Selected @PickleRick 's reply as solution as it gives some more pointers and some more ideas. thanks again.  ... View more

  Thanks @PickleRick @livehybrid @richgalloway ..One more query   Let's assume two Splunk environments, both are having same SVC value. And one project runs with ingest pricing model whereas the other runs on workload pricing model. Now, as per your understanding, which one will be cheaper, the ingest model or the workload pricing model? ... View more

Hi @chenfan  Pls check this similar post: https://community.splunk.com/t5/Splunk-Search/How-do-I-apply-symbol-for-Y-axis-values-in-a-Splunk-Chart/m-p/400095   ... View more

Hi @livehybrid ,  >>> The upgrade docs above state you can go from 9.3.x to the latest 10.0.x version without needing to upgrade to 9.4.x first <<<    the above mentioned upgrade docs is for Splunk Enterprise i think(user is asking about UF, not Splunk Enterprise). and also i could not find where it says you can go from 9.3.x to latest 10.0.x, could you pls clarify, thanks.  ... View more

Hi @gitau_gm  First things first....1) what is the indexer version? Determining forwarder-indexer compatibility is important 2) only few UF's or high number of UF's? if only few, you can manually plan to upgrade. high number of UF's require more manual task or some automatic upgrades can be planned.   document for y(our) reference: https://help.splunk.com/en/splunk-enterprise/release-notes-and-updates/compatibility-matrix/splunk-products-version-compatibility/compatibility-between-forwarders-and-splunk-enterprise-indexers Forwarder version Splunk Enterprise indexer version   9.2.x 9.3.x 9.4.x 10.0.x 8.1.x E, H, M E, H, M E, H, M E, H, M 8.2.x E, H, M E, H, M E, H, M E, H, M 9.0.x E, H, M E, H, M E, H, M E, H, M 9.1.x E, H, M E, H, M E, H, M E, H, M 9.2.x E, H, M E, H, M E, H, M E, H, M 9.3.x E, H, M E, H, M E, H, M E, H, M 9.4.x E, H, M E, H, M E, H, M E, H, M 10.0.x E, H, M E, H, M E, H, M E, H, M   E - Events. This version of forwarder can send event data to the corresponding version of indexer. H - HTTPOUT. This version of forwarder can send event data from Splunk instance to Splunk instance (S2S) over Hypertext Transfer Protocol Secure (HTTPS). M - Metrics. This version of forwarder can send both event data and metrics data to the corresponding version of indexer. ... View more

Hi @Sailesh6891  To list all Splunk indexes, use the search command 1)  | metadata type=indexes  2) | rest /services/data/indexes  3)  | tstats count where index=* by index 4)  with web UI access available(if you have admin access), check Settings > Indexes for a managed view.    for the question - creation time and who created the index there are no straight forward answer for this(should check about this).     Similar question discussed was: https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-get-a-list-of-available-indices/m-p/58945   ... View more

Hi @richgalloway @livehybrid @PrewinThomas .. all three of you gave the right answers. so, following the "first come first served" logic, selecting Rich's answer as the solution. given karma points for all 3, thanks.  for future users reference, pls check these 2 links for detailed info: https://help.splunk.com/en/data-management/splunk-enterprise-admin-manual/9.4/administer-the-app-key-value-store/back-up-and-restore-kv-store https://help.splunk.com/en/splunk-enterprise/administer/admin-manual/10.0/administer-splunk-enterprise-with-the-command-line-interface-cli/administrative-cli-commands   ... View more

Hi @kamalKSharma  there are only these 3 ideas: 1) there is a "Splunk Enterprise Security Guided Product Tour" https://www.splunk.com/en_us/form/enterprise-security-tour.html 2) on youtube, there are few good Splunk ES demo videos available(they are from Splunk's own channel, so very good quality materials they are.) 3) as said by @PrewinThomas , splunkbase restricts "trial" downloads to customers who have purchased ES or have been provisioned a trial entitlement(by Splunk Sales team or Splunk Account mgr) ... View more

Hi @richgalloway and @VatsalJagani , thanks for the link and good details.  but two more curious questions:... the user replied as --- "I changed the hec endpoint from "/service/collector" to "/service/collector/raw" on the sender, and my source type works now!" out of these endpoints (copied the table here for easy reference) 1) can a dev guy send logs to "any" of these end points? 2) can i assume only these 2 (services/collector/raw and services/collector/raw/1.0) are ok endpoints to receive logs with _time inside the logs? REST API endpoint Description   data/inputs/http Accesses or updates HTTP Event Collector global configuration tokens and application tokens.   data/inputs/http/{name} Manages the {name} HTTP Event Collector token. HTTP, as in data/inputs/http/http, indicates global configuration.   data/inputs/http/{name}/disable Turns off the {name} HTTP Event Collector token.   data/inputs/http/{name}/enable Turns on the {name} HTTP Event Collector token.   services/collector Queries events to HTTP Event Collector using the Splunk platform JavaScript Object Notation (JSON) event protocol.   services/collector/ack Queries event indexing status.   services/collector/event Sends timestamped events to the HTTP Event Collector using the Splunk platform JSON event protocol when you set the auto_extract_timestamp argument to true in the /event URL. An example of a timestamp is 2017-01-02 00:00:00 Timestamps in the event's JSON envelope take priority over the extracted timestamp. If there's no timestamp in the event's JSON envelope, the merging pipeline extracts the timestamp from the event. If time=xxx is used in the /event URL, then auto_extract_timestamp is turned off.   services/collector/event/1.0 Works identically to the services/collector/event endpoint but introduces a protocol version for future scalability.   services/collector/health Checks the health of the HTTP Event Collector. This endpoint is supported in Splunk Cloud Platform and versions 6.6.0 and higher of Splunk Enterprise.   services/collector/mint Posts data formatted for Splunk MINT to the HTTP Event Collector.   services/collector/mint/1.0 Works identically to the receivers/token/mint endpoint but introduces a protocol version for future scalability.   services/collector/raw Sends raw data directly to the HTTP Event Collector.   services/collector/raw/1.0 Works identically to the services/collector/raw endpoint but introduces a protocol version for future scalability.   services/collector/s2s Receives Splunk Transmission Control Protocol (TCP) data over HTTP from the Splunk Universal Forwarder. This endpoint is supported in Splunk Enterprise 8.1.0 and higher.                 ... View more

 I installed the Splunk Add-on for Palo Alto Networks on the deployment server and pushed the TA to the HF, indexers, and search head. from DS, did you push the TA to indexers and search heads? ... View more

Hi @Ghostoverflow25  However, the first warning did not clear (the info one). ---- no need to worry.  wait for one more day, it will clear. also it is the first warning, right, so no problems at all.  ... View more

Hi @sureshmani04  hope you got the solution.. if so, could you pls mark the question as solved, so it will be moved from unanswered to solved. thanks. karma / upvotes are always welcomed, thanks.  ... View more

Hi @sureshmani04  1) do you want to change the sourcetype of the already indexed data  or  2) new data that is yet to be onboarded    for the case 1, the answer is no. once the data is ingested, we can not alter / modify anything to the indexed data.  for the case 2, you can refer the previous reply. pls note that, most of the times you need not change/modify the sourcetype of an app/add-on, unless you have some specific requirements, thanks.  ... View more

Hi @spy_jr  Actually, you can grant access to this particular index only to the required user ids. in that way you can easily control who can see or search or do anything with the index.    Pls check some discussions here -  https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-encrypt-sensitive-data-in-index-time-and/m-p/640324   ... View more

Hi @sandeep_A1997  Pls check the bucket status - indexer clustering > Indexes > Bucket Status Pls update us if you have any bucket issues...    Some docs links: https://help.splunk.com/en/splunk-enterprise/administer/manage-indexers-and-indexer-clusters/9.4/troubleshoot-indexers-and-clusters-of-indexers/bucket-replication-issues https://splunk.my.site.com/customer/s/article/SF-and-RF-is-not-met-on-Cluster-Manager   ... View more

Hi @Andre_  1) after props.conf 's update/creation, did you restart the splunkd on the indexer? 2) if yes for above, then pls use the btool command to check if the props.conf got applied or not(you can search for splunk btool options here in communities).   if any reply helps you in any way, a karma point / upvote would be helpful for the author, thanks.  ... View more

Hi @Andre_  Pls check the MAX_DAYS_AGO option on the props.conf https://docs.splunk.com/Documentation/Splunk/9.4.2/Admin/Propsconf   MAX_DAYS_AGO = <integer> * The maximum number of days in the past, from the current date as provided by the input layer (For example forwarder current time, or modtime for files), that an extracted date can be valid. * Splunk software still indexes events with dates older than 'MAX_DAYS_AGO' with the timestamp of the last acceptable event. * If no such acceptable event exists, new events with timestamps older than 'MAX_DAYS_AGO' uses the current timestamp. * For example, if MAX_DAYS_AGO = 10, Splunk software applies the timestamp of the last acceptable event to events with extracted timestamps older than 10 days in the past. If no acceptable event exists, Splunk software applies the current timestamp. * If your data is older than 2000 days, increase this setting. * Highest legal value: 10951 (30 years). * Default: 2000 (5.48 years).   ... View more

Hi @SR .. may i know if you get results for the first search.. if no, pls understand that Application= may be service= or something else(depends on your logs).  if your search fails, then pls check the search below: do you get results for index="Nex" Application="Pe***g.Ne**s.Platform.Host" OR the better do this search index="Nex" "Pe***g.Ne**s.Platform.Host" maybe pls send me a direct msg here in my profile, i can try to help you further. thanks.   ... View more