@Travlin1 something like this?   | makeresults | eval cn=mvappend( "192_168_1_1", "10_0_0_5", "webserver-prod01", "172_16_32_1", "database.example.com", "192_168_0_badformat", "dev_server_01" ) | mvexpand cn | eval converted_host=case( match(cn, "^\d+_\d+_\d+_\d+$"), replace(cn, "_", "."), true(), cn ) | eval host_type=case( match(cn, "^\d+_\d+_\d+_\d+$"), "ip_address", true(), "hostname" ) | table cn, converted_host, host_type         If this helps, Please Upvote. ... View more

@KyleMika Hello! What version of splunk are you on? You might find something in this: https://www.splunk.com/en_us/blog/platform/new-year-new-dashboard-studio-features-what-s-new-in-8-2-2201.html?locale=en_us Did you checkout Feature section here? the https://docs.splunk.com/Documentation/SplunkCloud/9.3.2408/DashStudio/IntroFrame#Dashboard_features   If this Helps, Please Upvote.   ... View more

@Aresndiz Checkout https://docs.splunk.com/Documentation/Splunk/9.3.2/Alert/ThrottleAlerts .You can control alert throttling behavior using these settings in your saved search:   alert.suppress = 1 alert.suppress.period = <time-value> For your specific case of wanting to suppress similar results but trigger on changes, you can also use: alert.suppress.fields = <comma-separated-field-list> This tells Splunk to only suppress alerts if the specified fields contain the same values. If the values change, a new alert will trigger even if it's within the suppression period. This gives you the balance of avoiding duplicate notifications while still catching important changes. If this helps, Please Upvote. ... View more

@Splunk_Fabi Hello, which version of ES are you using? I have seen a similar bug in 7.3.2 (a fix might be on the future roadmap). If you are on 7.3.2, please file a ticket with Splunk Support to expedite the issue.       If this Helps, Please Upvote.     ... View more

@rahusri2 This could be a bug in the REST endpoint on the backend '/servicesNS/admin/search/server/info' for that version/build. Are you using Splunk Cloud Trial? It's recommended to reach out to Splunk Support if this is happening in your production environment. If this helps, Please Upvote.   ... View more

@s_s Hello, checkout the queues on the hwf pipleine, and also see if you can apply  async forwarding. https://www.linkedin.com/pulse/splunk-asynchronous-forwarding-lightning-fast-data-ingestor-rawat If this Helps, Please Upvote. ... View more

@fatsug Hello! The last_validated_bundle  differs from the active_bundlewhich identifies the bundle that was most recently applied and is currently active across the peer nodes. Refer: https://docs.splunk.com/Documentation/Splunk/9.3.2/Indexer/Updatepeerconfigurations#Use_the_CLI_to_validate_the_bundle_and_check_restart         if this Helps,  Please Upvote. ... View more

@kwangwon Splunkcloud  trial version is a standalone system and uses self-signed certs.  You can try using curl -k "https://ilove.splunkcloud.com:8088/services/collector"         If this reply helps, Please Upvote.         ... View more

@SteveBowser  Checkout inputs.conf $decideOnStartup server.conf  hostnameOption = [ fullyqualifiedname | clustername | shortname ] If this reply helps, Please Upvote. ... View more

Hi @Amoreuser, Based on what you described, there seems to be an config issue in your alert setup. If your threshold is set to 90 but alerts are triggering at 89.1, you may want to check a few things: First, verify that your alert condition is exactly set to "Above" and not "Above or Equal". Second, take a look at your search query to make sure there's no unintended data processing affecting the values. If you're working with decimal values, you might want to add a round() function in your search to ensure more precise threshold control. Could you share your search query so I can help identify the issue? If this Helps, Please Upvote. ... View more

Yes, it's recommended as a best practice to implement all Magic 8 configs because they establish consistency and reliability in data onboarding. While most TAs start with Magic 6, adding the EVENT_BREAKER configs gives you better control over event distribution and parsing. Think of Magic 6 as the minimum standard, and Magic 8 as the complete package for optimal data handling. The TAs can be updated with the additional configs when needed based on your specific deployment, but having all 8 from the start is generally ideal as it prevents potential data parsing issues down the line. If this Helps, Please Upvote. ... View more

@christophecris Please open a support case to get this checked. If this Helps, Please Upvote. ... View more

Hey @NanSplk01 try  ... | eval websphere_logEventType=case(websphere_logEventType=I, "INFO", websphere_logEventType=E, "ERROR", websphere_logEventType=W, "WARNING", websphere_logEventType=D, "DEBUG", 1=1, "Not Known") If this Helps, Please Upvote. ... View more

@StanD3secI don't think there is one for enterprise yet.  ( Splunk Cloud ACS API has ) But you can use this for splunk enterprise SDKs here. https://dev.splunk.com/enterprise/downloads/ https://docs.splunk.com/Documentation/Splunk/9.3.2/RESTREF/RESTlist If this Helps, Please Upvote. ... View more

@christophecris This looks like python core functionality is broken? any details about your instance? what version? This might be a bug or incompatible OS package. Did this happen  after a change? or an upgrade? If this Helps, Please Upvote. ... View more

@majilan1 the rex timeout typically  happens with complex events/data, or lot of wild cards in your regex. Refer: https://docs.splunk.com/Documentation/Splunk/9.1.1/Admin/Limitsconf#.5Brex.5D Try using that with  max_match option. | rex max_match=0 If this Helps, Please Upvote ... View more

@Karthikeya Index peers are simply indexers that work together in a Splunk cluster environment. They are responsible for receiving, processing, and storing data while maintaining copies across multiple indexers for redundancy and high availability. When a Cluster Master pushes configuration changes through an index cluster bundle, all index peers receive the same settings to ensure consistent operation across the cluster. Refer: https://docs.splunk.com/Documentation/Splunk/9.3.2/Indexer/Basicclusterarchitecture https://docs.splunk.com/Documentation/Splunk/9.3.2/Indexer/Howclusteredindexingworks If this Helps, Please Upvote and Mark as solved.   ... View more

@uagraw01 that is by splunk's default user role and recommended as best practices. That works with rest_properties_get but if you remove that, you will have different issues, I do not recommend that. You have different ones which are not needed there like Data inputs, Tokens Server Settings these should be handled by admin. Typical Splunk user role native capabilities. If this helps, please Upvote.  ... View more

@uagraw01 Please refer this https://docs.splunk.com/Documentation/Splunk/9.3.2/Admin/Authorizeconf Based on what I see the role might have inherited "admin_all_objects" from a different role. & also check “edit_own_objects” and “list_all_objects” capabilities [capability::admin_all_objects] * Lets a user access all objects in the system, such as user objects and knowledge objects. * Lets a user bypass any Access Control List (ACL) restrictions, similar to the way root access in a *nix environment does. * the Splunk platform checks this capability when accessing manager pages and objects.   Use this    ./splunk btool authorize list role_Splunk_engineer --debug   If this helps, please upvote. ... View more

Data Flow: Data goes DIRECTLY from UF to indexers on port 9997 (not to cluster manager) Cluster Manager only handles configuration distribution Configuration Management: Props and transforms configs are deployed via cluster manager These configs are pushed to index peers via index cluster bundle Processing Location: All parsing happens on the indexers (index peers) Each indexer applies the deployed configurations independently For Deep Understanding: Refer: https://community.splunk.com/t5/Getting-Data-In/Diagrams-of-how-indexing-works-in-the-Splunk-platform-the-Masa/m-p/590774 Review props.conf documentation: docs.splunk.com/Documentation/Splunk/9.1.0/Admin/Propsconf  docs.splunk.com/Documentation/ITSI/4.17.0/Configure/transforms.conf Since there are many pipeline components, I encourage you to read through these resources for a complete understanding. Simple Data Flow here. If this Helps, Please Upvote. ... View more

If you are asking for splunkcloud, you can download  private connectivity universal forwarder app.  https://docs.splunk.com/Documentation/SplunkCloud/9.2.2403/Security/Privateconnectivityenable https://docs.splunk.com/File:PC4.png If this helps, Please Upvote. ... View more

To troubleshoot your sources failing to lastchanceindex, I recommend checking if your REGEX pattern is too strict. If this helps, Please Upvote. ... View more

 HF do NOT need an enterprise license if you are just ingesting/parsing.  On a HF, if you are locally indexing "you need an enterprise license"        If this reply helps, Please UpVote ... View more