Hi - you just need to use props.conf to specify the source and your field extraction configurations. For settings that are specified in multiple categories of matching [<spec>] stanzas, [host::<host>] settings override [<sourcetype>] settings. Additionally, [source::<source>] settings override both [host::<host>] and [<sourcetype>] settings. https://docs.splunk.com/Documentation/Splunk/latest/Admin/propsconf Example: [source::<your_source_here>] <field_extraction_stuff_here>   ... View more

What Splunk version are you running? The TA you're referencing only supports Splunk v7.0 - v7.2 by the way.   You can also try adding in a "local/macros.conf" into the base TA with the following to see if that works: [cisco_asa_index] definition = index = "main" iseval = 0   ... View more

I'm going to assume you're talking about this TA here: https://splunkbase.splunk.com/app/3800/ I haven't used the TA yet, but it is asking you to specify an index so it can configure the macro below to configure the index where you are storing the firewall logs. So all you need to do is provide the index name - I'm assuming you're using the TA on a search head. The dashboards in this TA needs to know where you are storing the data for it to work properly. "default/macros.conf" [cisco_asa_index] definition = index = "cisco_asa" iseval = 0   ... View more

Did you try "changeme" as the password and username "admin"? ... View more

Man that sucks, I tried a fresh install with Splunk v8.1.7.1 with AWS TA v5.2.0 and it worked for me. I looked at the known issues page for Splunk v8.1.7 but didn't see anything that stood out. Hopefully support can provide you with some answers. ... View more

Don't know how I overlooked btool - that's also the fastest way to pin down the configs. ... View more

That is kind of odd that the index isn't there when it's there in the GUI. Can you look for an indexes.conf file within the $SPLUNK_HOME/etc/apps directory? Sometimes users click into an app or TA, then go to the indexes settings and create an index there without realizing that the index.conf gets put into that TA/app context. If you find the indexes.conf, move it to etc/system/local and restart Splunk. ... View more

I copied your SPL and it didn't have a space between the endpoint and splunk_server values. Can you try this? | rest splunk_server=<my_hosts> /services/configs/conf-indexes ... View more

Try this:   [azure:eventhub] DATETIME_CONFIG = CURRENT   props.conf snippet: DATETIME_CONFIG = [<filename relative to $SPLUNK_HOME> | CURRENT | NONE] * Specifies which file configures the timestamp extractor, which identifies timestamps from the event text. * This setting may also be set to "NONE" to prevent the timestamp extractor from running or "CURRENT" to assign the current system time to each event. * "CURRENT" sets the time of the event to the time that the event was merged from lines, or worded differently, the time it passed through the aggregator processor. * "NONE" leaves the event time set to whatever time was selected by the input layer * For data sent by Splunk forwarders over the Splunk-to-Splunk protocol, the input layer is the time that was selected on the forwarder by its input behavior (as below). * For file-based inputs (monitor, batch) the time chosen is the modification timestamp on the file being read. * For other inputs, the time chosen is the current system time when the event is read from the pipe/socket/etc. * Both "CURRENT" and "NONE" explicitly disable the per-text timestamp identification, so the default event boundary detection (BREAK_ONLY_BEFORE_DATE = true) is likely to not work as desired. When using these settings, use 'SHOULD_LINEMERGE' and/or the 'BREAK_ONLY_*' , 'MUST_BREAK_*' settings to control event merging. * For more information on 'DATETIME_CONFIG' and datetime.xml, see "Configure advanced timestamp recognition with datetime.xml" in the Splunk Documentation. * Default: /etc/datetime.xml (for example, $SPLUNK_HOME/etc/datetime.xml). https://docs.splunk.com/Documentation/Splunk/latest/Admin/propsconf   ... View more

Are you 100% positive that the "windowseventlog" index exist on your indexer(s) or your all-in-one Splunk server? I would double check your indexes.conf. ... View more

I think this error comes up when you are using a rising column input option and don't put in a value for the initial checkpoint. ... View more

If you know Javascript and want to mess with the source code, the error comes from here: splunk_app_db_connect/appserver/static/build/pages/common.js You may want to fork it to be your own app with the custom config, I don't know much more than that. ... View more