Hello, I've just installed the Splunk Add-on for Microsoft Windows and I will be collecting data from UFs that forward first to a HF and then to an indexing cluster.  The app will be deployed to multiple UFs via deployment server.  I only want to collect data from the machines that the UFs are installed on. I see that there is no way to specify within inputs.conf which index to send the data to.  I've read the documentation but I still don't understand how.  I've even found this post which discusses the same topic but doesn't really provide me with an answer that I understand (sends me to documentation for older version of the add-on). Could somebody please give me a push in the right direction? Thank you and best regards, Andrew ... View more

Hello, I don't understand why a file coming from a windows based UF does not get indexed properly.  By this I mean that some fields contain newlines that are interpreted by Splunk as event delimiters thus turning a single event into multiple events.  I can index that same file manually or from a folder input on a unix filesystem without issue. I am using Splunk Enterprise 8.0.5 with UF 8.0.5 running on Windows 10 VM.  I am trying to index ServiceNow ticket data contained in an ANSI encoded CSV file. Scenarios that work and do not work: I upload the CSV manually through the "Add Data" wizard specifying the sourcetype and it works I deposit the CSV in a local folder on the same VM Splunk Enterprise is installed, configured with the same sourcetype, and it works I deposit the CSV in a local folder on the same VM the UF is installed, configured with the same sourcetype, and it does not work I have no idea why this last scenario does not work.  Here is a simple diagram outlining the second and third scenarios (the third one doesn't work and is highlighted in red): Here is the file I am trying to index (contains one ticket):     "company","opened_by","number","state","opened_at","short_description","cmdb_ci","description","subcategory","hold_reason","assignment_group","resolved_at","resolved_by","category","u_category","assigned_to","closed_by","priority","sys_updated_by","sys_updated_on","active","business_service","child_incidents","close_notes","close_code","contact_type","sys_created_by","sys_created_on","escalation","incident_state","impact","parent","parent_incident","problem_id","reassignment_count","reopen_count","severity","sys_class_name","urgency","u_steps","closed_at","sys_tags","reopened_by","u_process","u_reference_area","calendar_duration","business_duration" "XXX4-S.A.U.R.O.N","Jane Doe","INC000001","Closed","2021-06-01 08:34:04","Short description","SYS","Dear All, For some reason this data doesn't get indexed incorrectly. There are two LF characters between this line and the previous one: THIS ON THE OTHER HAND HAS A SINGLE LF ABOVE Manual upload works, but input from windows does not... Thank you for your help and assitance. Jack","ERP","","ABC-123-ERB-SWD-AB-XXX","2021-06-10 10:19:14","Jack Frost","SOFTWARE","Query","Raja xxxxxx","Jack Frost","3 - Moderate","XXXXXX@DIDI.IT","2021-06-15 23:00:02","false","AWD Services","0","closure confirmed by XXXXX@fox.COM ","Solved (Permanently)","Self-service","XXXXX@fox.COM","2021-06-01 08:34:04","Normal","Closed","3 - Low","","","","1","0","3 - Low","Incident","1 - High","0","2021-06-15 11:00:11","","","DATA","DATA","783910","201600"     here is the props.conf stanza which has been positioned exclusively on the indexer:     [snow_tickets] LINE_BREAKER = ([\r\n])+ DATETIME_CONFIG = NO_BINARY_CHECK = true MAX_EVENTS = 20000 TRUNCATE = 20000 TIME_FORMAT = %Y-%m-%d %H:%M:%S TZ = Europe/Rome category = Structured pulldown_type = 1 disabled = false INDEXED_EXTRACTIONS = csv KV_MODE = SHOULD_LINEMERGE = false TIMESTAMP_FIELDS = sys_updated_on CHARSET = MS-ANSI BREAK_ONLY_BEFORE_DATE =     here is a screenshot of the data coming from the local folder (works): here is what it looks like when it comes from the windows UF: as you can see, it treats a newline as a new event, and does not seem to recognise the sourcetype. Is there any blatantly obvious thing that I've missed?  Any push in the right direction would be great! Thank you and best regards, Andrew ... View more

Hello! I have a really simple unix based shell script that returns info about the httpd (Apache) service.  The script is encapsulated in an input, so the printf statement becomes the event.  Each event is one line only. Here is an indexed event coming from the UF (with highlights that I will explain successively): For some reason the sourcetype is not working since _time is not what I specify, rather it is half from the field I want (timestamp in green) and half some text in the payload that i do not want (date in red). The sourcetype is currently this (it has gone through many evolutions): [linux:httpdinfo] SHOULD_LINEMERGE = false KV_MODE = auto MAX_TIMESTAMP_LOOKAHEAD = 30 TIME_FORMAT = %Y-%m-%d %H:%M:%S %z No matter what I try I cannot seem to get it to work. Could somebody give me a push in the right direction? Thanks! Andrew ... View more

Hello, I am a bit confused as to how Splunk manages its indexes through AWS cloud services, and I am not sure whether both EBS and S3 services are interchangeable for thsi type of deployment.  For example, is S3 only for archiving frozen buckets, or can it be used for hot/warm/cold buckets as well? Is there some documentation about best practices here?  Compare and contrast? Thanks! Andrew   ... View more

Hello! My objective is to be able to use JavaScript to overlay buttons onto a Splunk table viz, listen for a click, and then do something upon clicking.  I've managed to overlay the buttons but I'm not sure how to listen for a click.  If I add buttons to the dashboard via an html tag then it seems that the listener gets added automatically.  Below is a run anywhere dashboard + JavaScript containing: An HTML table with two buttons added to the cells in dashboard XML A Splunk table with two buttons added to the cells using JavaScript All buttons have been assigned the class "html_button".  The click listener that I associated to the "html_button" class only works with the HTML table. How do I add a listener to the JavaScript overlay buttons? Thank you and best regards, Andrew --------------------------------------- Dashboard   <dashboard script="overlayTable.js"> <label>Buttons and Listeners</label> <row> <panel> <title>Buttons added to HTML table</title> <html> <table> <tr> <th>Button</th> </tr> <tr> <td> <button type="button" class="html_button">x</button> </td> </tr> <tr> <td> <button type="button" class="html_button">x</button> </td> </tr> </table> </html> </panel> <panel> <title>Buttons added to Splunk table using Javascript overlay</title> <table id="tableVizualization"> <search id="searchObject"> <query>| makeresults | eval Button = "x" | append [| makeresults | eval Button = "x"] | table Button</query> <earliest>0</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">20</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> </row> </dashboard>    overlayTable.js   require([ 'underscore', 'jquery', 'splunkjs/mvc', 'splunkjs/mvc/tableview', 'splunkjs/mvc/simplexml/ready!' ], function(_, $, mvc, TableView) { // Add overlay buttons to table var CustomRangeRenderer = TableView.BaseCellRenderer.extend({ canRender: function(cell) { return _(["Button"]).contains(cell.field); }, render: function($td, cell) { var strCellValue = cell.value; if (cell.field === "Button") { var strHtmlInput="<button type='button' class='html_button'>x</button>" $td.append(strHtmlInput); } } }); // Render table mvc.Components.get('tableVizualization').getVisualization(function(tableView) { tableView.addCellRenderer(new CustomRangeRenderer()); }); // Listener for html_button class $('.html_button').on("click", function (e) { alert("Button clicked!") }); });     ... View more

Hello! My objective is to read the values of a Spunk table visualization from a dashboard into a JavaScript object for further processing.  I'm not sure what object yet, but my main issue lies with iterating through the table and extracting the cell values. Can anybody provide some sample JS code for identifying the table object and interating through its values? Thanks! Andrew ... View more