Data rolled to frozen directory is coming as inflight data and it showing size of it as 0. There are few details about inflight-db as too why they happen basically Splunk says that they are created when Splunk is writing from warm to cold but not much more than that.   So lets say that Splunk is writing buckets and its like 100 GB worth of buckets if lets say you had 3 indexers with buckets that were 3 months old and you forced all your buckets from these 3 indexers to move to cold. As long as they had write access to your storage should there even be inflight dbs? or is that too much to write at once and Splunk is like nah I dont think so. And therefore writes some data but the rest it just make some error log and calls it a day.   So is there a limit as to how much can be writen to cold at one time? If it is writing and that write gets interupted then why does it see that and just resume where it left off to complete the transfer? I know there are logs  but seems to me it should be like watching a movie with internet I should be able to pause and then resume when I'm ready or better yet if  100 buckets start writing and some technical issue happens at 1/4 or halfway then that bucket writing should either cancel full stop and tell me in plain language or pause and resume when connection is back up. ... View more

We have a sandbox environment  with vpsphere and it works mostly just fine we believe the time sync is corect because we have it set to use internet to auto update and for the sake or being free of errors we have disabled firewalld. (this is a  mostly linux env) howerever we are getting the following erorrs see attached ... View more

So we rebuilt out SHs aby completely blowing them out and started with a fresh 9.1.01 install. Then just for kicks before making a SH  Cluster I installed the Splunk Security Essentials on one of the SHs and The app worked wonderfully but when I made it part of a cluster It gave  errors I am attaching a snipits of both so you can see. Keep in mind that all that was changed was that I put the SH into  a cluster and then got the errors. ... View more

 I think my question is --Is the Search overall returning the SRC filed the way it does because  either A there is no data or B filling in from the search and the search needs to be changed. This is a tstats search from either infosec or enterprise security. What should I change or do I need to do  something different. ... View more

We keep getting warnings such as  We have gone into the savedsaerch conf files and renames them on a diferent SH but I dont think thats the answer. So my question is what is the answer? ... View more

So I have been trying to get SC4S working and I know where the docs are--> https://splunk.github.io/splunk-connect-for-syslog/main/ I have followed this well and gotten SC4S event in and have tested HEC data in successfully. However for some reason I cant get Epo data in I am attaching image of my env_file and proof that I got SC4S working.  as well as a concern. I need to know what I should change. Thanks. ... View more

There a re many good Apps in Splunk Base and if your asking for compliance some APPS will ask you too make sure your data is "CIM compliant" Mainly the infosec apps and the compliance essentials for splunk I have done more searching on this than literally anything for Splunk "So Far" and one thin I can find is a example where they have all details laid out and obvious as to what that looks like. I guess I figured most of the communities looked the same because the data looks the same going in but it feels like rocket Science. I tried to follow things like https://www.deductiv.net/blog/splunk-cim-performance/  but even that has had some fields not show up where I know they should in Infosec App especially. That has me ultimately editing the macro for Authentication but I have also read don't edit this so what gives? Maybe I am going about this the wrong way. So if you can either show me what you env looks like----- OR point me to a place that does splunk CIM compliance fomr a-z in all relevant fields for dummies I would be very interested thanks. ... View more

As stated by the Title We have a test env for learning but at some point it will be a larger production deployment with that said we have a Clustered Env on a vsphere server and one of the boxes is a win2019 server with EPO/Trellix on it. So I would really like to know what best practice step by step on sending that data over rom the EPO server to Splunk whether that be to a indexer or to a heavy forwarder? Do I need to put up some kind of syslog server somewhere or since its a Windows server should I just put a forwarder on it and use that to send data?     ... View more

This is mostly about the App Compliance Essentials and i had one other question first iam getting an error see below but I have all supporting apps installed but don't know how to fix the problem.  Lastly do the apps in shcluster/apps all need to have a default folder with a app.conf file in them? I have noticed most of the apps that properly present themselves on my SH have these folders and files.   ... View more

We have a Search Head clustered and Indexer Clustered env. we have a deployers which is not a SH or and Indexer just a linux machine on the same network  I have put the apps that I want in my SH into /opt/splunk/etc/shcluster/apps and did the command suggested but they dont show up under apps.  why is this? lets say you have apps in your search heads but not in your deployers under shcluster/apps if you run the update command the way it is describes seems like it should get rid of those apps in your search head but it doesn't. Why? if we are putting apps in shcluster/apps in their .tgz format. How does that make them visible in the SH env?   PS if there is anyone out that that had setup and deployed in a Dod type env that has some lessons learned please let me know also would like to get some other insights. ... View more

I am in a environment and I am able to get data in from a general perspective. We have a index clustered and search head clustered test  env  I can search *  and get data in andjust deal with that. we have the CIM vladiator app and we get  errors such as the following  So then I go and hunt the splunkd.log files of said location but really cant make heads or tails of whats important to solve any issues I may have. attached are  the splukd.log from sh01 and indx03,indx03 and indx04 respectively.     Should I care about info warning and should I worry about warnings or should I focus on errors? Keep in mind I have tried to search Some of these errors but they answers are amiguitous or not relevant or don't work.  Is there a strategy that people use to go about this ? is there anything that is seen on here that stands out? ... View more

 does this affect anything typically? I ask this because I have apps that I downloaded from splunkbase and put into /opt/splunk/etc/shcluster/apps and rand the command recomened but thoses apps arent showing up in apps on any of my SHs in my cluster ... View more