Hi,  Since you want to do it in HF, you can modify the input stanza to specify the default index.  [tcp://9991] index = supplier1 [tcp://9992] index = supplier2   OR you can add the props & transforms transforms.conf (if you want to filter you can use sourcekey & regex) [tcp9991_syslog_supplier1] SOURCE_KEY = MetaData:Host REGEX = (10.*.*.*) DEST_KEY = _MetaData:Index FORMAT = supplier1 [tcp9992_syslog_supplier2] SOURCE_KEY = MetaData:Host REGEX = (10.*.*.*) DEST_KEY = _MetaData:Index FORMAT = supplier2   ... View more

If creationhybris is passed by value, then you should use it as token in subsequent query $creationhybris$ ... View more

Thanks, Below command fix that issue. chmod 400 /opt/splunk/var/lib/splunk/kvstore/mongo/splunk.key I was not able to open Splunk Add on builder TA due to this issue. Now its been fixed by changing the permission to the mongo key file. ... View more

its possible to pass the token through saved search, but token field name is the one you need to use it in your savedsearch report query. if you want to exexute : |savedsearch "Syslog Report" token_SourceIPAddress="$ip$" your saved search should be like, index=someindex src_ip_field=$token_SourceIPAddress$ ... View more

I got stuck in similar issue, trying for other options. Savedsearch taking inputs but running it as user not as admin. ... View more