Contact Splunk Support.  They may have a link to a version that works for you. ... View more

You must have a license to run ES before you can download it.  A Developer license does not grant access to ES. ... View more

To allow the UF access to port 514, try this setcap 'cap_net_bind_service=+ep' /path/to/uf ... View more

Those error messages are saying Splunk does not have permission to use port 514.  All ports <1024 are "privileged" and require special permission to access.  Running Splunk as root will solve that, but I highly discourage that. The recommended practice is to send syslog data to a dedicated syslog receiver (syslog-ng, for example), have it write the data to disk, and have a UF monitor those disk files.  You also can use Splunk Connect 4 Syslog (SC4S) to send the data directly to Splunk. ... View more

Adding on to @livehybrid's response, sending TCP/UDP directly to a Splunk instance is discouraged.  The reason is any time that instance restarts data is lost.  Also, the usual distance between the data source and Splunk increases the chances of UDP data getting dropped. ... View more

Check out the search_et and search_lt fields. ... View more

What have you tried so far?  What were the results? ... View more

Are you using the exact same time span each time?  That is, not '-24h', but "2025-06-23:15:10:00". Please share your SPL. ... View more

For some reason, Splunk has stopped receiving data.  It could be because of any of several reasons.  Check the logs on indexer for possible explanations.  Also, the Monitoring Console may offer clues - look for blocked indexer queues. ... View more

Contact Splunk Support for versions not available on the web site. ... View more

An unset token has no value, but it is not null, either.  It's as though the token doesn't exist. Splunk will not execute a query if any of the tokens within it are undefined. ... View more

The REST API lets you run searches and retrieve the results, but cannot render visualizations.  That's normally done by the web browser so if you're not using that then Splunk visualizations are not possible.  The customer would have to use the data fetched by the API in another tool to create charts. ... View more

Splunk Support can get access to the file system if they don't have, but they no doubt will ask "Why do you *need* to know?".   I, too, wonder why you *need* to know.  Splunk Cloud is a service and how that service is provided shouldn't matter as long as you get what you pay for. What problem are you trying to solve? ... View more

The dbinspect command will give you the sizes of each bucket, but there's nothing I know that will break that down further. To reduce the size of tsidx files, do fewer index-time field extractions (especially JSON) and only accelerate the datamodels you use. ... View more

@Bhart1 wrote: So is there no way to have it match the first and last strings while excluding a certain middle part? Something like: "[string1, regex to exclude middle part, string2]" I mean it's pretty clear with the matching string and regex that the point is to match everything but the changing IP.  C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "Resolve-DnsName 0.0.0.0 | Select-Object -Property NameHost You can do that, and it's done all the time.  However, the regular expression MUST be a single quoted string.  Something like this. | regex process !="^C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe Resolve-DnsName \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b \| Select-Object -Property NameHost$" I disagree with @PickleRick about the escaping.  I think you have that part right. ... View more

Please put the *real* and *complete* macro definition in a code block so we know exactly what we're working with and can test it in our own sandboxes.  Please also include how the macro is used in a query. ... View more

[field] is improper syntax for the regex command.  Use the field name by itself.  If it's an argument to a macro then use $field$. ... View more

If your problem is resolved, then please click the "Accept as Solution" button to help future readers. ... View more

To convert that UTC timestamp into local time, try this eval command | eval PlanDate=strftime(strptime(PlanDate . "Z", "%d-%m-%YT%H:%M:%S%Z")) Appending "Z" to the timestamp tells Splunk to treat it as UTC instead of local time. ... View more

Please put the query in a code block so it's easier to read and to avoid it being rendered in emoticons. How is this query not working for you?  What are the expected results and what results so you get? The split function should not be using 'index' as the first argument.  The value of that field, "splunkdata-dev" does not contain any commas.  You probably should use _raw. What is the intention of the subsearch in the table command? ... View more

Do the files have a common header?  If so, you may need to set initCrcLength to a value larger than the header. ... View more

There may be more than one way to do that using regular expressions.  Here's one of them. | rex field=API_RESOURCE "\/v(?<API_RESOURCE>\d+)" Use this command line in place of the existing eval. ... View more

The strptime function will return null when the format string does not match the value in the field.  Other than meta-characters ('%a', etc.) the format string must match *exactly*, including spaces.  That means including spaces in the format string if they are expected in the data. That said, the sed command should be removing the extra spaces so no accommodation in strptime should be needed. ... View more

If there are no errors on Splunk's end then your email provider should be contacted to find out why the messages were not delivered.  It's possible the message were treated as spam or there was another problem that prevented delivery. ... View more

@sainag_splunk's answer is correct, but be aware that not all searches specify an index name and those that do might do so using a wildcard.  This is a Hard Problem addressed in the .conf24 talk "Maximizing Splunk Core: Analyzing Splunk Searches Using Audittrail and Native Splunk Telemetry", which offers some ways to get the indexes used by a search. ... View more