Definitely depends on your ecosystem. If you're managing an on-premises Windows or Azure-native or hybrid cloud environment or developing bits in Visual Studio Code, you're probably using PowerShell. The VSCode PowerShell extension has been downloaded 20+ million times. There are about the same number of estimated Python users worldwide. The few PowerShell examples I've posted on the Splunk community use PowerShell syntax and flow control but with a focus on classes and methods over cmdlets, they feel more like C# than PowerShell. In all seriousness, I can't think of a company other than IBM that maintains the level of backwards compatibility that Microsoft does. The Win32 API is 33 years old, and the core Windows API from 1985 remains functionally the same. The shift to 64-bit processors after the last update to Windows 10 saw the end of 16-bit NTVDM and WOW, but until that point, you could run original Windows applications on 32-bit Windows. PowerShell and .NET will disappear someday, but I don't think it will be Microsoft that makes the decision; programming languages will just be made irrelevant by AI systems that produce whatever you want in whatever form you prefer. We're almost at the point today. ... View more

admon, MonitorNoHandle, WinEventLog, etc. are all modular inputs that ship with Splunk Universal Forwarder, although not all of them behave the way modular input documentation says they should behave. Splunk gets to break its own rules. It's all relative. I've used Splunk in AIX and Solaris environments with ksh and sh, respectively, but no GNU Bash. You do what you need to do. I like PowerShell on Windows because it's installed by default on every modern Windows SKU (edit: okay, not Windows Nano Server, but your SREs are going to complain about Splunk, too), and most environments have something like a 10:1 or better Windows to other ratio if you include endpoints. ... View more

PowerShell is pre-installed on every supported version of Windows and easy to install on all major Linux distributions. When PowerShell first arrived, I wasn't a Perl user, and I didn't embrace its influences. As Microsoft support for COM and automation interfaces waned, though, using PowerShell or embedding a CLR language like C# in a PowerShell script became viable. I still fall back to VBScript, JScript, and COM interfaces occasionally. Microsoft should have kept its JavaScript engine alive, but Node.js (edit: technically, V8) rules that space. JScript .NET is still a thing. Python isn't shipped with Splunk Universal Forwarder, though--only Splunk Enterprise. When I'm writing Linux-only inputs, I use Bash. I vary between Bash and Python for external lookups and use Python for custom search commands. In the environments I support day to day, you can't just install NuGet or pip and download code. You've got to use what the base OS provides and fight for more. ... View more

We start with something approximating a monitor input but operating at the worksheet level. System.IO.FileSystemWatcher for workbook-level change tracking, a header/footer hash for worksheet-level change tracking, etc. I wouldn't dive into mid-sheet changes or Excel's internal change tracking right away. PowerShell and .NET Standard are just convenient, cross-platform tools. It could be any bytecode or compiled language with libraries supporting the required OS abstractions, but on Windows, side-loading Python isn't my first choice. ... View more

I mean, this is a Splunk forum and not a Power Automate or [insert legacy office automation and content management tool here] forum. 😉 "Can I index Excel files?" is a common enough real-word question. This is as good a use case as any for walking through a modular input example. We tend not to think about how Splunk monitor and batch inputs work under the hood. Getting into the details of file system concurrency, change tracking, and so on is quite fun, and Excel is an interesting envelope. ... View more

My first thought was to treat workbooks as archives and then iterate over worksheets as files/sources, but unarchive_cmd isn't very flexible. We don't appear to have access to the same metadata that _auto provides. A scripted input would be another simple, one-shot alternative. It could also be a complex solution similar to a modular input. The only limit is the code we're willing to write (or have a machine write, but we wouldn't be here if we wanted that). ... View more

On Linux, don't forget to install PowerShell Core. ... View more

Hi @sonaralt, We can adapt an example I wrote for SQL Server audit files at https://community.splunk.com/t5/Splunk-Cloud-Platform/uploading-sqlaudit-files-into-Splunk/m-p/678857, but we'll treat Excel workbooks as archives and the first worksheet as a source. We could use Excel itself to read workbooks, but it requires Excel and Windows, and writing code for memory and thread safety in COM is a dying art. The consensus (read: Stack Overflow and Reddit) for a cross-platform, scalable solution seems to be Sylvan.Data.Excel plus Sylvan.Data.Csv. We can use these classes in PowerShell 5.1 and PowerShell Core for a cross-platform solution compatible with Splunk Universal Forwarder. We can bootstrap a development environment with NuGet and a lot of headaches, or we can skip all that and use the add-on I've uploaded to GitHub: https://github.com/groktrev/TA-xlsx. TA-xlsx/ TA-xlsx/bin/ TA-xlsx/bin/netstandard.dll TA-xlsx/bin/Stream-XLSX.ps1 TA-xlsx/bin/Sylvan.Data.Csv.dll TA-xlsx/bin/Sylvan.Data.Excel.dll TA-xlsx/default/ TA-xlsx/default/inputs.conf TA-xlsx/default/props.conf TA-xlsx/default/inputs.conf [monitor://C:\Temp\xlsx\*.(?i)(xlsx)] index = main sourcetype = xlsx [monitor:///tmp/xlsx/*.(?i)(xlsx)] index = main sourcetype = xlsx TA-xlsx/default/props.conf [source::...\\*.(?i)(xlsx)] unarchive_cmd = powershell.exe -ExecutionPolicy RemoteSigned -File "$SPLUNK_HOME\etc\apps\TA-xlsx\bin\Stream-Xlsx.ps1" unarchive_cmd_start_mode = direct sourcetype = preprocess-xlsx NO_BINARY_CHECK = true [source::.../*.(?i)(xlsx)] unarchive_cmd = $SPLUNK_HOME/etc/apps/TA-xlsx/bin/Stream-Xlsx.ps1 unarchive_cmd_start_mode = direct sourcetype = preprocess-xlsx NO_BINARY_CHECK = true [preprocess-xlsx] invalid_cause = archive is_valid = False LEARN_MODEL = false [xlsx] SHOULD_LINEMERGE = false INDEXED_EXTRACTIONS = csv KV_MODE = none DATETIME_CONFIG = NONE TA-xlsx/bin/Stream-Xlsx.ps1 #!/usr/bin/env pwsh Add-Type -Path ([System.IO.Path]::Combine($PSScriptRoot, "netstandard.dll")) Add-Type -Path ([System.IO.Path]::Combine($PSScriptRoot, "Sylvan.Data.Excel.dll")) Add-Type -Path ([System.IO.Path]::Combine($PSScriptRoot, "Sylvan.Data.Csv.dll")) $stdin = [System.Console]::OpenStandardInput() $stdout = [System.Console]::Out $reader = [Sylvan.Data.Excel.ExcelDataReader]::Create($stdin, [Sylvan.Data.Excel.ExcelWorkbookType]::ExcelXml) $writer = [Sylvan.Data.Csv.CsvDataWriter]::Create($stdout) # We can iterate over worksheets with ExcelDataReader.NextResult() and # retrieve the worksheet name with ExcelDataReader.WorksheetName, but we # can't modify the source field midstream. Only the first worksheet's # header row will be recognized by INDEX_EXTRACTIONS = csv. #do { # $writer.Write($reader) | Out-Null #} while ($reader.NextResult()) $writer.Write($reader) | Out-Null On Linux, verify Stream-Xlsx.ps1 is executable: $ chmod 0750 $SPLUNK_HOME/etc/apps/TA-xlsx/bin/Stream-Xlsx.ps1 In more recent releases of Splunk Universal Forwarder, you may need to modify the server.conf allowed_unarchive_command setting. $SPLUNK_HOME/etc/system/local/server.conf [general] allowed_unarchive_commands = _auto,splunk-compresstool,zstd,powershell.exe,/opt/splunkforwarder/etc/apps/TA-xlsx/bin/Stream-Xlsx.ps1 See your release's server.conf.spec and https://advisory.splunk.com/advisories/SVD-2026-0302 for more information. Note that Splunk expands environment variables before verifying the command. Sylvan.Data.Csv.CsvDataWriter reads the Excel file from stdin through Sylvan.Data.Excel.ExcelDataReader and writes the first worksheet to stdout as a CSV stream. INDEXED_EXTRACTIONS = csv will parse the stream before forwarding events to a receiver. I haven't found a way for an unarchive_cmd process or script to update the source field and signal the start of a new source. The source file name is not passed as a command-line argument or as part of the input stream, and HEADER_MODE = always and the ***SPLUNK*** directive are ignored whether or not INDEXED_EXTRACTIONS or a custom structured data header extraction configuration is used. The next alternative is a modular input with its own path monitoring and change tracking mechanism. Because a modular input has complete control over the events it generates, it can inject metadata fields like source as needed. I prefer PowerShell over Python because Splunk Universal Forwarder doesn't ship with a Python interpreter, and PowerShell is available by default on most Windows systems. Python may be installed on some Linux systems, but it's not available on Windows or macOS by default, and PowerShell Core can be installed on Linux and macOS just as easily as a Python distribution. If Splunk Enterprise is installed on the endpoint, the Python for Scientific Computing app provides Pandas for access to Excel files, and Python becomes a viable, Splunk-supported option for modular input development. If you're interested in exploring and testing modular inputs, we can put something together in this thread. ... View more

Thanks for the Slack link. Dashboard Studio has gotten better at time zone detection relative to SplunkWeb user preferences and browser locale, but it would be clearer if it worked the same way every time, i.e., it used a zone offset if provided or else used the SplunkWeb offset. There are other ways to confuse Dashboard Studio, e.g.: | makeresults | fieldformat _time=strftime(_time, "%d-%b-%Y") _time is detected as a "time" field, but Dashboard Studio displays "Invalid Date" because the underlying JavaScript object is not a Date object. ... View more

Hi @yuanliu, Did you come up with a satisfying answer? From my brief experiments, Dashboard Studio appears to cast or convert the field value to a JavaScript Date object using the Date.parse() method. If the string is in a date-time format recognized by the browser's JavaScript engine*, a valid Date object is returned, and Dashboard Studio gives the label or value a type of "time"; otherwise,  the label or value may have a type of "number," "string," or "unknown" depending on additional tests. The behavior changes when the search coerces a variant field to a specific type with, e.g., the replace() or tostring() functions. If I'm poking around in the right spot, the logic is: IF Finite AND Number THEN // x.isFinite() && x.isNumber(x)     "number" ELSE IF Date THEN // !Number.isNan(Date.parse(x))     "time" ELSE IF String THEN // Number.isNaN(Date.parse(x)) && typeof x == "string"     "string" ELSE     "unknown" END IF There is necessarily some conversion from Splunk field to JavaScript variable when Dashboard Studio parses search results in client-side JavaScript. The logic contradicts the behavior change, though, as date-time values coerced to strings should pass the (inferred) !Number.isNan(Date.parse(x)) test and have a type of "time" and not "string." * Different browsers support different date-time string formats, but the standard formats should be universal. ... View more

I love engineering/systems-oriented dashboards and applied puzzle solving, but when I try to do something "pretty" ... the Titanic flute fail meme comes to mind. My favorite dashboards tend to be simple things with 3-5 metrics (principal component analysis maybe?) that say this is your root cause.  ... View more

I'm also a bit like everyone else: I prefer Simple XML; however, that's mostly because it's what I've used daily for ... too many years. Dashboard Studio iterates significantly with every release. Splunk Enterprise 10.4 and Splunk Cloud Platform 10.4.2604 added support for custom visualizations, for example. The product manager for Dashboard Studio and other SplunkWeb features posts blog updates and (presumably) monitors Answers. I know they welcome friendly, constructive feedback. That said, Splunk Enterprise 9.4 is nearly three years old now and more than a little out of date with respect to Dashboard Studio. ... View more

Hi @eholz1, I'll add one more example that works in Splunk Enterprise 9.4.12 and sets token values directly from a column chart. The token value you're looking for is probably row.<fieldname>.value, where <fieldname> corresponds to the over/row-split field in the chart command or the x-value in the xyseries command. E.g.: index=_internal source=*splunkd.log* | chart limit=10 usenull=f useother=f count over log_level by component index=_internal source=*splunkd.log* | stats count by log_level component | xyseries log_level component count => row.log_level.value You copy and paste the source below or use it as a reference to define the dashboard using Dashboard Studio. There's no source-only magic in the dashboard. { "title": "ds_drilldown", "description": "", "inputs": { "input_global_trp": { "options": { "defaultValue": "-24h@h,now", "token": "global_time" }, "title": "Global Time Range", "type": "input.timerange" } }, "defaults": { "dataSources": { "ds.search": { "options": { "queryParameters": { "earliest": "$global_time.earliest$", "latest": "$global_time.latest$" } } } } }, "visualizations": { "viz_TbwbICq3": { "dataSources": { "primary": "ds_zDetExHq" }, "options": {}, "type": "splunk.table" }, "viz_ZhY8abJJ": { "options": { "markdown": "**chart_name:** $chart_name$\n\n**chart_value:** $chart_value$\n\n**chart_row_log_level_value:** $chart_row_log_level_value$" }, "type": "splunk.markdown" }, "viz_eASiDDzL": { "dataSources": { "primary": "ds_AIqBMriG" }, "eventHandlers": [ { "options": { "tokens": [ { "key": "name", "token": "chart_name" }, { "key": "value", "token": "chart_value" }, { "key": "row.log_level.value", "token": "chart_row_log_level_value" } ] }, "type": "drilldown.setToken" } ], "options": {}, "type": "splunk.column" } }, "dataSources": { "ds_AIqBMriG": { "name": "Search_1", "options": { "query": "index=_internal source=*splunkd.log*\n| chart limit=10 usenull=f useother=f count over log_level by component", "queryParameters": {} }, "type": "ds.search" }, "ds_zDetExHq": { "name": "Search_2", "options": { "query": "index=_internal source=*splunkd.log* log_level=$chart_row_log_level_value|s$\n| table _time log_level component _raw" }, "type": "ds.search" } }, "layout": { "globalInputs": [ "input_global_trp" ], "layoutDefinitions": { "layout_1": { "options": { "height": 960, "width": 1440 }, "structure": [ { "item": "viz_eASiDDzL", "position": { "h": 400, "w": 1440, "x": 0, "y": 0 }, "type": "block" }, { "item": "viz_ZhY8abJJ", "position": { "h": 87, "w": 1440, "x": 0, "y": 400 }, "type": "block" }, { "item": "viz_TbwbICq3", "position": { "h": 400, "w": 1440, "x": 0, "y": 487 }, "type": "block" } ], "type": "grid" } }, "options": {}, "tabs": { "items": [ { "label": "New tab", "layoutId": "layout_1" } ] } } }   ... View more

Hi @user5, The order of fields in current NetScaler output doesn't match what the add-on expects. I don't have a sample I can share, but if you can post an obfuscated sample of a raw event, e.g., SSLVPN LOGIN, from your environment, we can help with field extraction fixes. ... View more

Dashboard Studio in Splunk Enterprise 10.2, Splunk Cloud Platform 10.1.2507, and later supports JSONata expressions. I drafted an example here, but I haven't seen them used in the wild. ... View more

Hi @las, The article you referenced is for Splunk SOAR, but if you want to explore the PostgreSQL environment shipped with Splunk Enterprise, you can install PostgreSQL 17 tools on your Linux server. Make a backup of your Splunk Enterprise installation before proceeding. I recommend using a restored backup running in a sandbox. I wouldn't do any of this on a production deployment server. This process is for Red Hat Enterprise Linux 10. It's similar for other distributions. PostgreSQL publishes a handy guide at https://www.postgresql.org/download/linux/. 1. Disable the RHEL postgresql module: sudo dnf module disable postgresql 2. Install the PostgreSQL repository: sudo dnf install https://download.postgresql.org/pub/repos/yum/reporpms/EL-10-x86_64/pgdg-redhat-repo-latest.noarch.rpm 3. Install PostgreSQL 17 tools: sudo dnf install postgresql17 4. Connect to PostgreSQL: psql "host=localhost port=5432 dbname=postgres user=postgres_admin" Your local postgres_admin password is encrypted in $SPLUNK_HOME/etc/system/local/passwords.conf. You can decrypt the value with: $SPLUNK_HOME/bin/splunk show-decrypted --value '<password>' where <password> is the encrypted value in passwords.conf. Or all together: psql "host=localhost port=5432 dbname=postgres user=postgres_admin password=$($SPLUNK_HOME/bin/splunk show-decrypted --value "$($SPLUNK_HOME/bin/splunk btool passwords list credential:postgres:postgres_admin: | grep '^password\s*=' | sed 's/^password[[:space:]]*=[[:space:]]*//')")" From here, you can list databases with \l, list users with \du, or run other commands as needed. Can you damage the installation beyond repair? YES. Verify your backup before making changes. It would be best to proceed with the help of Splunk support. If the issue you have is reproducible, they can fix it for other customers, too. ... View more

Hi @avadhi, Your question is a few months old, but did you find a solution? Splunk Add-on for Amazon Web Services (AWS) collects the following AWS/DynamoDB metrics by default after the namespace is added to a CloudWatch input: "AWS/DynamoDB": [ "ConditionalCheckFailedRequests", "ConsumedReadCapacityUnits", "ConsumedWriteCapacityUnits", "OnlineIndexConsumedWriteCapacity", "OnlineIndexPercentageProgress", "OnlineIndexThrottleEvents", "ProvisionedReadCapacityUnits", "ProvisionedWriteCapacityUnits", "ReadThrottleEvents", "ReturnedBytes", "ReturnedItemCount", "ReturnedRecordsCount", "SuccessfulRequestLatency", "SystemErrors", "ThrottledRequests", "UserErrors", "WriteThrottleEvents", ] If you don't see your metrics when editing the input configuration, try upgrading your Splunk Add-on for AWS installation. If you do see the metrics, verify you can see data in CloudWatch using the AWS Management Console or the AWS CLI. ... View more

Hi @ankit13, I recommend Splunk Universal Forwarder 9.3.x on Windows Server 2016. Splunk Universal Forwarder 9.3.13 was just released. Splunk has been inconsistent on whether more recent versions of the forwarder are fully tested and supported on Windows Server 2016. Both products will be end of life soon. As others have said, make sure your TLS configuration is consistent on both the client (deploymentclient.conf and server.conf) and server (server.conf). You can verify connectivity using the forwarder's bundled version of OpenSSL. From an elevated command prompt:  cd ; & "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" cmd openssl s_client -connect <host>:8089 -CAfile "C:\Program Files\SplunkUniversalForwarder\etc\auth\cacert.pem" -tls1_2 -verify_return_error Replace <host> with your deployment server hostname, FQDN, or IP address. If you use an IP address, you can add the -servername parameter to openssl; set it to the common name or a valid subjectAltName value in the server certificate. If you need to use an IP address, check your name resolution configuration (DNS and/or %SystemRoot%\System32\drivers\etc\hosts). The "cd ; &" syntax just lets the command run as-is under both PowerShell and cmd.exe. A command that fully emulates your current Splunk configuration requires a copy of your forwarder's deploymentclient.conf and server.conf (remove any encrypted or plaintext secrets before posting). On failure, OpenSSL will print useful error messages and help isolate root cause. ... View more

I don't think you'll reach 100% without duplication. I would model the delay as a random variable and plan for missing samples. Dynatrace support may be able to provide more details about how their events are queued and delivered. ... View more

Hi @karl_lbg, Without modifying the modular input scripts, you can select a Dynatrace Collection Interval value larger than your input interval. Since the Dynatrace Collection Interval overlaps with the previous input interval, you may see duplicate events. It's a trade-off vs. missing events. You can optimize by using a Dynatrace Collection Interval value that approximates your Dynatrace environment's lag. For example, if your lag is 2 minutes and your input interval is 5 minutes (300 seconds), the closet Dynatrace Collection Interval is 10 minutes. Each interval would collect from -10 minutes to -0 minutes of data and pick up any events the prior interval missed. If you want to modify the modular input code, you can store the last observed timestamp as a checkpoint, use that value in the API startTimestamp parameter, and set the API endTimestamp parameter to the current time less some backoff. Time-based checkpoints are usually probabilistic, and there's always a chance you'll still miss events. The internal app developer (see Splunkbase) at Splunk may be open to suggestions. Have you contacted them directly? If you want to write your own input to retrieve logs and metrics without writing a lot of code, you may prefer the REST API Modular Input and the Dynatrace Grail service. ... View more

I have a bit of free time, so I checked: with DEBUG logging enabled, LineBreakingProcessor appears to be skipped when the _linebreaker key is present. With _linebreaker: S2SReceiver S2SReceiverEvents (_raw = line) UTF8Processor AggregatorMiningProcessor regexExtractionProcessor (_MetaData:Index transform) Without _linebreaker: S2SReceiver S2SReceiverEvents (_raw = chunk) UTF8Processor LineBreakingProcessor AggregatorMiningProcessor DateParser regexExtractionProcessor (_MetaData:Index transform) Using a route with has_key:_linebreaker:typingQueue jumps from S2SReceiverEvents to regexExtractionProcessor with respect to transforms. It's probable I've looked at all of this before when verifying earlier implementations. Instant recall would be nice. ... View more

Hi @Enzo54, You will find the same problem in 10.x. Don't be afraid to increase the size of max_memtable_bytes in this or other cases. The setting is there to help you get the best performance out of frequently used large lookup files. While null is a valid UTF-8 character, it poses a challenge for internal functions expecting null-terminated strings, whether they're in splunkd, Python's CSV reader, or elsewhere. I work occasionally with binary data in Splunk, so I wouldn't assume your null bytes are corruption as @kml_uvce has done, but their advice is otherwise sound: preprocess your lookup files and use a surrogate character to represent null. Splunk uses \x00 itself when sanitizing _raw, but you may prefer the URL-encoded %00, the UTF-8 encoding for ␀ (the byte sequence E29080), or some other value depending on your source representation. Whatever you choose, deserializing the data is simple with the rex command using mode=sed or the eval command using the replace() and urldecode() functions. ... View more

Logs? What is this? Splunk? I'd use a decompiler or disassembler. 😉 Or more realistically, I'd do black box testing across multiple (but serialized) tiers and analyze S2S traffic for changes in event boundaries. ... View more

I'm old, too. My kids remind me daily. Answers is already well served by conforming solutions and generative AI. Witness the ratio of trustee replies to questions and the downtrend in traffic. I spend my days mired in compliance-ridden, risk-averse systems. My answers here are both an escape and a way to contribute to a community of practitioners I've enjoyed engaging across venues since Splunk 4. ... View more