I missed ES part earlier. It probably explains your issues. It depends on how many correlation searches and CIM accelerations are running your single box, but I suspect that your environment is too much for running it in single node. You could find monitoring console under settings. There are links/icon for it. Just click it and then enable it from its setting tab/link. After that there are Search link where you could look those several dashboards which shows e.g. what are those deferred and skipped searches.   ... View more

Thanx. Can you copy that part from db_inputs.conf? Also add relevant part from inputs.conf, so we see the schedule also. And put those inside </> editor tag, so this platform didn’t change your paste and it’s easier to read. ... View more

Please, tell more about your architecture, deployment, splunk version, daily ingestion amount also how many searches (scheduled vs ad-hoc) you have. ... View more

There are known issues at least some 9.4.x versions UFs and HFs at least. You could try 9.4.4 (some CVE, so if those are affecting you don't use) and 9.4.6 at least are working in our cases. ... View more

On more comment for this. When you have multisite configurations with SHC nodes divided to several sites. Then those election requirements are easier to fulfill when one site crashed. ... View more

I don't believe that you can install same license on both sides. Basically it's deny in license rules and there could be issue with collecting internal logs which contains that information. In that case you have 72h to fix issue or splunk disable your searches at least. But you can ask that Splunk Support split to your licenses. Or ask DS/HF license from them. Currently the easiest solution is behind this link https://splunk.my.site.com/customer/s/article/0-byte-license-for-Deployment-Server-or-Heavy-Forwarder You could just download that 0-byte license there. ... View more

Hi If I recall correctly you should use _SYSLOG_ROUTING to get events formatted correctly for syslog protocol? Here is Splunk's article about it https://splunk.my.site.com/customer/s/article/Does-adding ... View more

You have _index_earliest and _index_latest, but what are your earliest and latest. Actually this is your search from splunk index, but what is your DB Connect input SQL statement? ... View more

You can access edge prosessor on Splunk Enterprise 10, but it works only in linux version. So if you are running it on Windows or macOS then it didn't work. There are instructions how to enable EP control plane in Enterprise https://help.splunk.com/en/splunk-enterprise/process-data-at-the-edge/use-edge-processors-for-splunk-enterprise/10.0/getting-started/about-the-edge-processor-solution just follow up that instruction and then you should get it to work. ... View more

What kind of SPL query you have in your db_input? What is it's current schedule? How you have verified that event's haven't have come to splunk? Are you sure that there are events in DB for that time and also that those events are there on that time when you are quering those with DBX in 1st time? ... View more

Basically this should work. $job._time$ count $job.count$ Of course it depends on what you have in your report. ... View more

IMHO: in any reasonable sized environment you should have separate apps for different business units / systems. Don't use Search And Reporting for anything especially if you have or plan to have SHC environment. ... View more

If there are only some indexes which you are using and you have configured your HF to send everything into indexers (which is the best practices), then you should just add those needed indexes e.g. via GUI as you add indexes into your indexer (not indexer cluster). If you have indexer cluster then just copy those needed indexes your indexes.conf and use those. Just ensure that you are using local directory for index target, definitely not any Smartstore or other remote places. ... View more

Hi your current requirements contains some elements which are not directly supported by Splunk multisite cluster. Also it has some other stuff which mens that this is not a community support case. You should contact either Splunk Professional Service or some local Splunk Partner who can help you. r. Ismo ... View more

What is your problem which you are trying to solve? I mean real issue not how you are trying to solve it? ... View more

Nice to hear that this solve the issue. BTW here is excellent presentation how everyone should manage Splunk access https://conf.splunk.com/files/2023/slides/PLA1169B.pdf If you haven't full CI/CD pipeline with needed parts then you could/should somehow simplify this, but in generally speaking this is excellent way to manage RBAC access in Splunk. ... View more

For some reason @livehybrid forget this link https://github.com/livehybrid/downloadSplunk 🙂 ... View more

As said you could use props+transforms or ingest actions to do this in HF, but it's always better to do this in inputs.conf on UF. Of course if someone else is managing those UFs and you haven't (or cannot trust) control of those then you must setting index on HF side. ... View more

This sounds like your Customer role hasn't defined all access which are needed to get data. Can you check what are roles which are needed for display that dashboard including all KOs like macros, eventtypes, reports etc. Usually that Oops screen means that this user/role hasn't access to this dashboard/report etc. ... View more

Have you used btool to check it? It could be defined in several apps + system/local and without btool it's almost impossible to see what you really have. ... View more

It should works as already said.  If it didn't work then maybe you have too long json event or it something like json but not exactly. Please give some more information to us if needed. ... View more

I have client which is sending events via databricks to splunk.  As already said you should use HEC for sending those events. But it needs some configurations inside Databricks to manage those streams or read those again from data storages. Then you must define how many events you send at time or otherwise it's big risk that it try to send too much (which leads crash of splunk as OoM killer). ... View more

What you actually mean with this "connection from host (nginx servers) to splunk gets cut (sometimes)."? Is the connection always down, will it start to working after some time or after something has done? Or something else? ... View more