Hello all, I have a requirement to forward events from a search result to an API and store the response from the API call made by an alert action back to a custom index. How can I achieve this. Please help. Regards, Naresh ... View more

Hi Everyone, I am working on an addon to collect event result based for an an alert and send it to an API endpoint. Once the response is success the endpoint returns a success message in a json format and I Want to store it in a custom index and sourcetype. I tired using below code but the data is written to Main index instead of my custom index. Is there way to write the event in to custom index for an alert action build via Splunk Addon builder. helper.addevent("hello", sourcetype="customsource") helper.addevent("world", sourcetype="customsource") helper.writeevents(index="mycustomindex", host="localhost", source="localhost") Regards, Naresh ... View more

Hi Everyone, I am working on an addon to collect event result based for an an alert and send it to an API endpoint. Once the response is success the endpoint returns a success message in a json format and I Want to store it in a custom index and sourcetype. I tired using below code but the data is written to Main index instead of my custom index. Is there way to write the event in to custom index for an alert action build via Splunk Addon builder. helper.addevent("hello", sourcetype="customsource") helper.addevent("world", sourcetype="customsource") helper.writeevents(index="mycustomindex", host="localhost", source="localhost") Regards, Naresh ... View more

Hello, I am working on a query to check multiple service status from multiple servers and trying to display the current status of each service using windows event log 7036. Event ID 7036 captures the event for both services stopped and started.  My requirement is on a given point of time service might restart multiple time and I don't want to list all restart state instead want to display the current status by comparing the data for each service against the current State. index IN (wineventappsys_*) EventCode=7036 host IN (ABC,DEF,GHI) | stats count by _time, host, EventCode, SourceName, LogName, Message | lookup service_list Message OUTPUT Short_Description Severity | eval State =if(match(Message,"running state"),"CLOSED","OPEN") | stats latest(_time) as Date by host State Short_Description | sort - host Date ShortDescription  Here it still lists both open and closed events. I am trying to display data only with the last state for each service for each server. Any help is greatly appreciated. Naresh ... View more

Hi All, We are trying to push data from Grafana to Splunk using HEC based integration. When we did the testing we found that the header sent by Grafana was in the following format "Bearer <HEC TOKEN>" instead of "splunk <HEC TOKEN>" format. Because of this, authentication failed and we cannot ingest data into Splunk. We manually tried the same via postman where we have an option to change the Bearer prefix and it worked. Our ask is, do we have a method to change the Header Authorization from Splunk to Bearer to fix the authentication issue? Please help. Regards, Naresh ... View more