Thanx. Next time when you paste something please use </> code block to avoid character changes etc.  Based on those I suppose that your data haven't correct values what you are looking for. You should check it by clicking magnifying class on right bottom corner of your dashboard's individual panel. This opens exactly same search you to separate window/tab and you can see what events it found. Then you can debug it by e.g. commenting rows away from bottom to top.  ... View more

Are you sure that those queries are used on those panels? Or are there some other filtering after those queries which remove all results? Can you share those panels source and also your sample data (with anonymous values when needed)? ... View more

Did the installation verification gives any other reason why it couldn't succeed? But as already said, you must create a support ticket. ... View more

Based on documentation this is supported configuration. There could be several SHC serving by one deployer, but all those SHCs must have an equal configuration. Of course they can have different amount of members and those size could be different in every SHC. But honestly said I couldn't find any real use cases for this. Only one which comes my mind is that those SHC:s have different user bases and some configuration are managed with SHC GUI (which is not wise). Definitely it's better and easier way that every SHC has it's own Deployer. Using one Deployer with several SHCs will be road to issues. ... View more

Here is your original search  index="emh_prd" ACXForm="TTYIN:MULEOUT:TTYOUT" XXXXXX AND .YYYYYY | timechart count by DR1 You should do it like index="emh_prd" ACXForm="TTYIN:MULEOUT:TTYOUT" XXXXXX AND .YYYYYY DR1=* | timechart count by DR1 or index="emh_prd" ACXForm="TTYIN:MULEOUT:TTYOUT" XXXXXX AND .YYYYYY | eval DR1 = coalesce(DR1, "DR1 N/A") | timechart count by DR1  https://docs.splunk.com/Documentation/Splunk/9.4.0/SearchReference/ConditionalFunctions#coalesce.28.26lt.3Bvalues.29   ... View more

Usually I ask, How fast you could fix the issue and use that answer to make decision how frequently those alerts should run. Normally I try to use something between 5min to 1h. Of course there could be cases where this must be 1min or longer than 1h. ... View more

If you have single indexer you can migrate it to cluster and then multisite cluster quite easily. You can found those steps on  https://docs.splunk.com/Documentation/Splunk/9.4.0/Indexer/Migratenon-clusteredindexerstoaclusteredenvironment https://docs.splunk.com/Documentation/Splunk/9.4.0/Indexer/Migratetomultisite You can create one node cluster if needed or use several nodes on site and of course same amount and size of nodes in DR site too. Without this with other tool it will be more complicated to build DR and especially working DR site. So I strongly recommend to use Splunk's own way to do DR! ... View more

For DR purposes you should use multisite cluster option. See more https://docs.splunk.com/Documentation/SVA/current/Architectures/M2M12 ... View more

Is this a new feature on dashboard studio? From which version it works? ... View more

If those hosts didn’t contains any other data then just stop UF then remove …/var/lib/splunk/fishbucket (check spelling on your node) directory. Start UF service and it start to indexing everything from scratch. Then do this same for other nodes. If those nodes contains also some other events what you cannot reindexing the you must remove those file by file and start reindexing only for those files.  Here is one old post about it https://community.splunk.com/t5/Deployment-Architecture/Use-btprobe-reset-to-re-index-multiple-files/td-p/313186 ... View more

And you have updated the IAM role to include that new endpoint? ... View more

That’s an excellent point. Actually you must do it or at least check if this is needed every time when you add a new data source. It not matter is it a new source system for indexing to current indexers or a totally new indexer or cluster to your SH. ... View more

Hi have same or different lexical form of splunk.com and your local splunk box account name? If those are formally same it’s quite possible that your browser’s password manager thinks that those two different site passwords should be same and it’s offering to you update those to the same.  As @MuS said there are two different accounts one for splunk.com and also for splunkbase then second one for your local splunk instance. I strongly propose that you are keeping those to have different lexical format. Otherwise you must be really careful to avoid updating wrong password. ... View more

If you can connect locally with curl everything is basically ok. It means that issue is on network side. Have you any node on the same subnet (no network fw between it and splunk), where you could try curl to this host? Another test which needs to do is try curl on splunk host, but use the official url not localhost. And if there are LB/VIP address before splunk nodes, then use also that and splunk nodes ip too. In that way we can try to find where the blocking fw. We have several RHEL 9 cis v1 hardened boxes and there is no issues with them.  ... View more

Have you already checked that both HFs have same IAM roles, permissions etc. if those have created manually with gui or cli it’s quite possible that some configurations are missing. ... View more

It goes exactly this way. If those are individual indexers then add those one by one a new search peer in SH. If those creates a new cluster then as 3rd CM into your SH. ... View more

You could write it like “/<splunk_home>/bin/splunk btool server list --debug proxyConfig” Which shows what this stanza gets from different conf files. ... View more

It should be installable even it’s archived. Ok, it seems that policy has changed and there is no more download button for archived apps. Let’s check if anyone known more about this on slack. https://splunk-usergroups.slack.com/archives/C0453SZLGHX/p1738101637411249 ... View more

Based on that, it’s up and running. Have you try it with that node e.g. with curl and using localhost? How about splunkd_acces.log and web logs etc? Are there anything? And selinux? Any entries on auditd? ... View more

Has splunk started web gui process and are it listening on that host or is it totally down? ... View more

Hi I’m quite sure that you are on correct path. Unfortunately I haven’t now some examples in my hand where that or quite similar options have done. You probably know simple xml example app and its debug part? If not there are some instructions how to use it https://data-findings.com/wp-content/uploads/2024/09/HSUG-20240903-Tiia-Ojares.pdf Anyhow use those init, finalize parts on searches and also check token and form.token values. Time by time you must use one and another time/purpose another one. Also that simple xml debug part helps you to understand how and when those are different. I try to find those examples later if you cannot solve this or nobody cannot help you beforehand. r. Ismo ... View more

You must put those configurations in first full splunk enterprise instance from source to indexers. If you have separate HF which is endpoint for those udp feed, then those must be there. If that is UF and then you are send events through IHF then add those conf there. And if there haven’t been any HF before indexers then add those configurations in all indexers. And as said it’s better to use real syslog server to terminate syslog feeds a use e.g. a UF to collects events from files or use SC4S for that. ... View more

The best instructions for real time alerts is never ever use those! Usually those generate more issues inside and outside of splunk e.g. in email systems when there are some mistakes in configuration or even any mistakes. Instead of real time alert you should use scheduled alerts. Just select suitable time schedule for based on individual alert. When you are creating those check if there are regularly some latency when indexing events and if, then adjust earliest and latest based on that. For sending emails, you could add needed configuration for base splunk email settings or add some alert actions to do it. Personally I prefer to add links to alert into its body, never add real data into it. Time by time there could be some static or similar content. But never send real events outside of splunk. More instructions can found from community/answers and also alerting manual. ... View more