@ksing Thanks for sharing the script, it's running fine. But, still the Splunk Service is not running, please refer to the below output details. Additionally, am thinking that the existing version was not uninstalled properly/corrupted. Is there proper way to clean existing Splunk entries from the device? Thanks. Output: Status Name DisplayName ------ ---- ----------- Stopped SplunkForwarder SplunkForwarder Service SplunkForwarder service is Running on Copying necessary files for splunk ... stopping splunk service copying C:\splunk_install copy C:\splunk_install complete copying Copy-Item : Cannot bind argument to parameter 'Path' because it is null. At line:18 char:26 + Copy-Item -Recurse -Path $opappsrc -Destination $appPath -Force + ~~~~~~~~~ + CategoryInfo : InvalidData: (:) [Copy-Item], ParameterBindingValidationException + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.PowerShell.Commands.CopyItemCommand copy conmplete Start-Service : Service 'SplunkForwarder Service (SplunkForwarder)' cannot be started due to the following error: Cannot start service SplunkForwarder on computer '.'. At line:20 char:1 + Start-Service -Name SplunkForwarder + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : OpenError: (System.ServiceProcess.ServiceController:ServiceController) [Start-Service], ServiceCommand Exception + FullyQualifiedErrorId : CouldNotStartService,Microsoft.PowerShell.Commands.StartServiceCommand Validating by checking if service is running. Get-Service : Cannot validate argument on parameter 'ComputerName'. The argument is null or empty. Provide an argument that is not null or empty, and then try the command again. At line:22 char:51 + Get-Service -Name "SplunkForwarder" -ComputerName $file -ErrorAction ... + ~~~~~ + CategoryInfo : InvalidData: (:) [Get-Service], ParameterBindingValidationException + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.PowerShell.Commands.GetServiceCommand SplunkForwarder service is Running on Complete

Hi, Can you please share the exact commands you've run so far? And also the values of those environment variables you set? Assuming these are the docs you're using: Python https://docs.splunk.com/observability/en/gdi/get-data-in/application/python/instrumentation/instrument-python-application.html#instrument-python-applications Django https://docs.splunk.com/observability/en/gdi/get-data-in/application/python/instrumentation/instrument-python-frameworks.html#django-instrumentation  

The ES SH should be kept separate and not joined with the existing SH into a cluster because: 1) you need at least 3 SHs to make a cluster; 2) SHs must be virgin to form a cluster; 3) ES doesn't play well with other apps and so needs to be on its own.

Hi @mninansplunk, sometimes ields with dot insied don't work in eval, so you have two solutions: use quotes: | eval MOBILE=if("network.connectType"="MOBILE","1","0") | eval WIFI=if("network.connectType"="WIFI","1","0") or use a rename before the eval: | rename network.connectType AS network_connectType | eval MOBILE=if(network_connectType="MOBILE","1","0") | eval WIFI=if(network_connectType="WIFI","1","0") I prefer the second solution. Ciao. Giuseppe

I appreciate your time, thanks again!   I figured there wouldn't be an "easy" button, finding this community for ideas is as close as it gets.  I will check out some tutorials and hopefully it's one foot after another from there.     Have a great weekend to all!