It's one of those settings which you can put into the default stanza but can override it on a per-index basis. In other words - you can set all indexes as replicated by default and then override this behaviour and decide that this and that index are not replicated or vice versa - make all indexes not replicated except for a few chosen ones (not a very bright idea but hey, who is Splunk to tell you not to shoot yourself in the foot, eh? 😉) ... View more

OK. "Did not succeed" doesn't tell us much. 1. What do the logs say (on both ends)? They should tell you if the connection has been attempted, if it failed, how it failed and so on. 2. Try connecting directly from the UF machine to the indexer using openssl s_client splunk cmd openssl s_client -connect <your_indexer>:<port> -showcerts And see if it works. ... View more

Can't do anything without knowing your actual data 🙂 (possibly anonymized if it contains sensitive information somewhere in the middle). As long as you don't have valid data which looks like a timestamp in the middle of your multiline event, you will probably be good with something like (might need adjusting to your date format) LINE_BREAKER=([\r\n]+)\d{2}/\d{2}/\d{4} And don't touch SHOULD_LINEMERGE - it should be set to false and never ever changed to true (honestly, there are almost no valid use cases for it to be set to true). ... View more

I'm not saying that it's great news since the support is limited and so on but it's good to know that at least _someone_ has at least _some_ knowledge of what's going on 😉 Thanks for sharing. ... View more

Yup. But if you have a big dashboard, especially powered by badly written searches, and a very short refresh time... That's not gonna end well 😉 ... View more

@livehybrid's idea is one possible way. Another way would be to render one bigger dashboard and use some clever CSS/JS to slide the contents within the visible area. ... View more

OK. Yes.  I found it. https://docs.splunk.com/Documentation/Splunk/latest/DistSearch/PropagateSHCconfigurationchanges#Set_up_the_deployer "Deploy to multiple clusters The deployer sends the same configuration bundle to all cluster members that it services. Therefore, if you have multiple search head clusters, you can use the same deployer for all the clusters only if the clusters employ exactly the same configurations, apps, and so on. If you anticipate that your clusters might need different configurations over time, set up a separate deployer for each cluster." But honestly,  I can't think of any reasonable use case for this. ... View more

Honestly, I've never heard about such possibility. Since you're bootstrapping a SHC member from a deployer, how would you decide which SH is a part of which cluster? Also if you're applying shcluster bundle, you're pushing it to one member and let others replicate their config from there. How would you expect to do it with two SHCs? (OK, you could do the push explicitly to two different SHs but I'm not sure if that would work). Why do you even want to to something like that? If you have enough machines and they are supposed to have the same config why not create a single SHC? ... View more

It is also worth remembering that some sources can have their specific characteristics. For example if you're getting WEF-forwarded events with pull-mode, you can receive events in batches every 15 or 30 minutes. For other sources there can be a significant jitter in event delay so they can be backfilling your indexes past the search window. These are just some specific examples to general issues raised earlier. So there is no single answer that fits all possible cases. ... View more

From experience - the initial answer from the requestors will be probably "as soon as possible". Don't fall for that. ... View more

You can also use the tstats with prestats with count. | tstats prestats=t count where index IN (network,proxy) by index _time span=1h | timechart span=1h count by index   ... View more

As I said - read the dbinspect docs - specifically the section about the "cached" parameter. You can get that info but it will only pertain to the local copies of the buckets, not the cached metadata. Which makes sense since cached metadata only contains the general "boundaries" of the bucket, not its data distribution inside. ... View more

This has nothing to do with the command being run from CLI. It means that the index you're trying to dbinspect is a smartstore-enabled index and therefore you only can do limited dbinspect on it. See the docs on dbinspect command for details. ... View more

And how are we supposed to know what is the cause of this error when we don't know what error it is? ... View more

This documentation is confusing. First it says about automating the rolling upgrade of SHC, then it lists upgrading standalone SH as a use case. To be honest, I'd avoid using this app. If not for any other reason, it supports only using tgz archive to replace the running splunk instance whereas I tend to use system packages (rpm or deb) whenever possible. ... View more

Actually, this is not entirely true. 1. With HEC the "basic" form of... well, it's not even authentication as such since the token is not very secret and is often used by many different sources, is a HEC token. 2. Additionally, you can limit source IPs from which the HTTP input accepts connections (the acceptFrom setting) 3. If you have TLS enabled you can use requireClientCert option to require the client to present a valid cert. By default this option is disabled so HEC can accept TLS connection from anyone (possibly with exception for clients not meeting the defined sslVersions or cipher suites). 4. Additionally to 3. you can limit accepted clients to only those presenting clients containing either sslCommonNameToCheck values or sslAltNameToCheck. It's a relatively rarely used option since as @isoutamo said - typically HEC is a rather "open" input but the options are there. I don't remember for certain but I think the 3. and 4. parameters can only be defined on a HEC input as a whole, not on a per-token basis. ... View more

You are doing isnull(Item.Subject) Since you are not enclosing the Item.Subject part in quotes (in this case - you should use single quotes) Splunk treats Item and Subject as separate field names and tries to concatenate (the dot operator) their values. Since you have no fields called neither Item nor Subject in your data, the result of joining two null values is of course null as well. You should do isnull('Item.Subject') to get a correct result. Spath is not needed and since Splunk has already done automatic json extraction, it's a needless performance hit. ... View more

Normally timestamp extraction (given it's properly configured) works pretty well and Splunk doesn't have to resort to the fallback action of assigning the current timestamp to the event. But the data ingestion must be properly configured - the sourcetype must have correct settings for the given time format and the sourcetype must be defined at the right place (on the correct component). In your case we have no idea what the ingestion process looks like, how many components are involved, where the settings are defined, what sourcetypes you are using and so on. Furthermore the fact that <777> 2025-01-03T06:12:19.236514-08:00 hello world event which looks like "almost normal" syslog message (the <777> is definitely not a correct facility/priority combination) is getting transformed into Jan 28 14:27:25 127.0.0.1 2025-01-03T06:12:19.236514-08:00 hello world suggests that there is some intermediate step (the 127.0.0.1 part is not a part of the original message). ... View more

More words please. What are you trying to achieve? If you just want to list all buckets for a given index you can do something like this: splunk search "| dbinspect index=_internal earliest=1 | table bucketId state" ... View more

As for the timeout issue - it is most probably a network-related issue. A client tried to establish a connection and request some resource but didn't manage to do it in an allocated time window so returned a timeout error. This needs verifying on your end - whether the sites which are to be monitored are reachable, what connection parameters you use (or what are the default parameters if the addon doesn't let you specify them) and so on. As for "urgent assistance is required" - this is a volunteer-based community. People use their spare time to help others. For "urgent assistance" you typically go and pay. Splunk Answers is not a substitution for support or professional services. ... View more

Application obsolescence is one thing. Performance is another (yes, there can be differences in performance between those apps but still as one is getting obsoleted it might soon be difficult to find support for it). Unless you have just one big source (in which case it might indeed be difficult to scale up your environment to meet the demands for performance) you might want to consider splitting your eStreamer sources between different HFs so that you don't have a single component overwhelmed with inputs. ... View more

There are two sides to this coin. 1) Yes, if you add another cluster or a standalone indexer your search will be distributed there as well (unless you explicitly limit your search) 2) ES will only work seamlessly if the data in your new indexers matches the already existing configuration. So if you just connect indexers containing more of the same stuff you already have you should be good to go. But if you've been only processing - for example - network data so far but add indexers containing endpoint events you might need to adjust your ES configurations, datamodel accelerations and so on.   ... View more

The main question is what the dashboard is supposed to be for. Are you solving some problem from within your organization? In such case - as @richgalloway pointed out - you should have requirements for this dashboard. Are you preparing a PoC/PoV as a partner? Consult partner portal resources for existing demo resources. Are you looking to expand existing Splunk infrastructure within your company to different divisions and use cases? Consult potential stakeholders and check what would be their expectations on the product and try to make something targeting their needs. The general answer is "depends on what you have and what you need". ... View more

You (or a responsible person designated by your organization) should have received a license file. You need to upload this file to the webui (or copy-paste its contents). Or use the CLI to add this license file. Anyway, you need a _file_ describing your license capacities. If you don't have it and due to some organizational changes have no idea who should have received it work with your Splunk sales contact on this issue. ... View more