I am probably overengineering this but this is the only way I could get a script to execute on UF, via a deployed application's bin folder 🙂 I have a .path file which executes powershell.exe -command "& 'path_to_ps1_script'" and it's placed, as stated, in myapp\bin\scripts folder The PS1 script, returns a valid JSON. The app's inputs.conf stanza: [script://$SPLUNK_HOME\etc\apps\<my app>\bin\scripts\myscript.path] disabled=false interval=60 sourcetype=my_source_type source=my_source send_index_as_argument_for_path=false index=my_index As soon as I put index=my_index in my stanza, the data is not being indexed for some reason. If I remove the index, the data is indexed into the default "main" index, however i'm looking for a solution to send that data to an index I specify   Any suggestions ?   ... View more

Hello folks, I am having a hard time getting the difference between two fields of the same record, where the search query returns multiple record set. The query uses streamstat to bring the "previous" field into the current record, here's a dummy that shows the same results | makeresults | eval RoleContents = "a;b;c" | eval _time = now() | append [| makeresults | eval RoleContents="b;c;d" | eval _time=now()-10] | append [| makeresults | eval RoleContents="a;d" | eval _time =now()-20] | streamstats current=f window=1 first(RoleContents) as LastRoleContents | sort _time | streamstats current=f window=1 first(RoleContents) as PrevRoleContents | sort - _time | makemv delim=";" RoleContents | makemv delim=";" PrevRoleContents | table RoleContents, PrevRoleContents What i am looking to acheive is within the row, to show the difference between those two fields, which will show , for each record returned, what changed in comparison to the previous record. Any help would be appreciated. Thanks ... View more