Hi as you have an individual servers, you could use this method https://community.splunk.com/t5/Installation/How-to-migrate-indexes-to-new-indexer-instance/m-p/528064/highlight/true When you have several indexers you should consider to migrate into clustered environment. You should read this https://docs.splunk.com/Documentation/SVA/current/Architectures/TopologyGuidance r. Ismo ... View more

Here https://conf.splunk.com/files/2019/slides/FN1003.pdf is something to read. It explains how splunk see and use fields when it searching events from buckets. ... View more

The easiest way is copy your indexes.conf from your cluster manager. Then just ensure that it doesn’t contains any SmartStore or other unknown targets etc. then create a new app which contains only this indexes.conf and other files which are needed by any app. Then install this app into your HF. But as said, you should use some real syslog server instead of use splunk tcp/udp inputs for getting syslog feed into splunk. Even splunk can do it, there are some side effects with it. Probably the biggest is that you will lost all syslog events when you are restarting HF. And this could take several minutes instead of using syslog server or clustered syslog implementation. You could easily find some old posts where we have discussed about it and give some hints how to do it. ... View more

Ok. It’s better to use terminology from Splunk SVA documentation https://docs.splunk.com/Documentation/SVA/current/Architectures/TopologyGuidance. In that way we all understand better and clearly what others have. In this case you have single server installation (S1). When you have S1 and also DS role configured into it and you want to use IA, I’m not sure if that is valid architecture or not with IA? You cannot configure server itself with DS and when you are using IA in server with DS I’m not sure if IA part is always use DS or not in that case? Also UFs is not supported platform for IA and it could try to install also IA part to those? Can you find anything else from internal logs which can explain what has happened? ... View more

What you are meaning with “ that our deployment and indexer are on the same server”? What is this deployment, is it deployment server or something else? Have you one indexer or several and/or cluster? When you are deploying with IA are targets only HFs or are you managing also UFs or other HFs without IA rulesets? ... View more

What is in your props.conf? ... View more

Is there any possibility that there are field named sourcetype in your event? ... View more

How you are creating those kvstore lookups in HF? What is the reason to use kvstore instead of csv file or modular input to send those directly into indexers? ... View more

What is your architecture and how you have configured IA? ... View more

Have you also add this into outputs.conf? [indexAndForward] index = false https://help.splunk.com/en/splunk-enterprise/administer/distributed-search/9.4/deploy-distributed-search/best-practice-forward-search-head-data-to-the-indexer-layer ... View more

It's better to create a new questions instead of use old closed thread to get more comments. ... View more

If you know stanza name you should add also it.  Currently there is also splunk app called Admin's little helper, which you could use to run btool from MC or splunk cloud. I strongly recommended to install and use it in any distributed environments! https://splunkbase.splunk.com/app/6368 ... View more

Are you running this on SH or SHC? Are your result set events or transformed results? https://docs.splunk.com/Documentation/Splunk/9.4.2/SearchReference/Loadjob ... View more

Have you try to dispatch your query first then look when it’s ready and after that export results instead of do it in one operation? ... View more

If I recall right there aren’t any native method to get app from enterprise to your own workstation. You could install e.g. git client or some app like Splunk Version Control https://splunkbase.splunk.com/app/4355 and use it to get app via git. ... View more

As said don’t use DS as HF. Those are separate roles and didn’t work well together in any bigger environment.  @livehybrid already post splunk instructions how to do it. When you are using IHF (intermediate heavy forwarder) you always should use at least two to avoid unneeded service break when you need to do restart after config changes. Then you should consider to use async forwarding to spread events equally over your SCP.  As @gcusello said you shouldn’t index anything locally when you have SCP. Or if you really need it then you must buy separate splunk enterprise license for it.  Then when you have both Linux and windows UFs you must use Linux as a DS if you want manage both platforms. It’s technically impossible manage Linux UFs correctly from windows DS.  ... View more

The latest 9.4.x has own issues with platformVersion etc. so please check 1st are there anything else which could affect your environment! Then select suitable version to update. ... View more

In slack there have been discussions that staring of 9.3.x some user preferences have moved into kvstore. Unfortunately that is not documented. I’m not sure if that affect also in this case, but I suggest that you will create a support case for Splunk. ... View more

As @livehybrid said this seems to be bug. So create a support case to splunk for it. ... View more

You should use asynchronous forwarding to help this situation. Here is one instruction for it https://splunk.my.site.com/customer/s/article/Asynchronous-Forwarding-to-Splunk There are lot of other articles about it, which you could easily found e.g. by asking those from your favorite search engine. ... View more

Here is link which contains a tool to find and download old unsupported splunk versions https://community.splunk.com/t5/Splunk-Enterprise/Splunk-Migration-from-RHEL-to-AL2023/m-p/749226/highlight/true#M22568 It contains also some discussion which you should know when you are planning an update and do it. ... View more

Could you describe what is your issue which you are trying to solve? Not the action how you are solving it! ... View more

Hi as other already said it isn’t currently possible. If you thing that this is really necessary then create entry into ideas.splunk.com. Of course you could encrypt file system level with os / cloud tools if needed. Then you could create separate environment for those indexes. But you must have also separate SH for access those indexers where those indexes are. And remember that when SH have done those queries then data will be on their disks for some time before it will expire. For that time anyone who has command line access as splunk or root can see that data.  So you have lot of other things to consider than just add key to access those indexes! r. Ismo ... View more

Where these add ones are running? As you have distributed environment you should have separate HF where those are! Then you could add needed props&transforms on it to filter unneeded event away. Other option is configure your cloud side to use separate targets for those logs (e.g. S3 buckets etc if possible). But this is depending on your apps and environment. ... View more

If you are ingesting with UF then props and transforms should work as in on prem.  You must just install those into first full splunk enterprise node. What is this “the add on”? And is it running on HF or UF? If you have lot of logs to filter then you probably want to use IHFs between UFs and your indexer cluster?   ... View more