Hi, I'm having some issues configuring this add-on.  I installed the add-on v0.0.0+9fa6d17 on a Splunk Enterprise 10.0.2 version on a windows heavy forwarder.  The add-on installs and launches with no issues, and I'm able to add account configuration with my api key and URL.  However, I can't seem to add any inputs.  Every input I try to add gives a fairly non-descriptive error message "an unknown error has occurred" and splunkd.log shows this error for my input: 04-24-2026 10:34:06.977 -0600 WARN AdminManager [3680 TcpChannelThread] - Could not find object id=Test_input It also shows the following messages, which I suspect are related: 04-24-2026 10:40:45.171 -0600 WARN AdminManager [10272 TcpChannelThread] - Could not find object id=structured_data_service 04-24-2026 10:40:43.319 -0600 WARN AdminManager [11012 TcpChannelThread] - Could not find object id=config This happens for each endpoint type.  I tried this on a couple of different instances of Splunk Enterprise with the same results.  I suspect the add-on is not loading some python objects, although there's nothing I can see in the other logs.  Has anyone ran into this issue before?  Is there maybe a configuration step I am missing (couldn't find anything in the add-on docs). Thanks! ... View more

I'm wondering if anyone could advise on how to best standardize a log of events with different fields. Basically, I have a log with about 50 transaction types (same source and sourcetype), and each event can have up to 20 different fields based on a specific field, ActionType. Here are a few sample events with some sample/generated data: 2025-02-10 01:09:00, EventId="6", SessionId="123abc",  ActionType="Logout" 2025-02-10 01:08:00, EventId="5", SessionId="123abc", ActionType="ItemPurchase", ItemName="Item2",  Amount="200.00", Status="Failure" 2025-02-10 01:07:00, EventId="4", SessionId="123abc", ActionType="ItemPurchase", ItemName="Item1", Amount="500.00", Status="Success", FailureReason="Not enough funds" 2025-02-10 01:06:00, EventId="3", SessionId="123abc" ActionType="ProfileUpdate", ElementUpdated="Password", NewValue="*******", OldValue="***********", Status="Failure", FailureReason="Password too short" 2025-02-10 01:05:00, EventId="2", SessionId="123abc" ActionType="ProfileUpdate", ElementUpdated="Email", NewValue="[email protected]", OldValue="[email protected]", Status="Success" 2025-02-10 01:04:00, EventId="1", SessionId="123abc", ActionType="Login", IPAddress="10.99.99.99", Location="California", Status="Success" I'd like to put together a table with user-friendly EventDescription, like below: Time: SessionId Action EventDescription 2025-02-10 01:04:00 123abc LogIn User successfully logged in from IP 10.99.99.99 (California). 2025-02-10 01:05:00 123abc ProfileUpdate User failed to update password (Password too short) 2025-02-10 01:06:00 123abc ProfileUpdate User successfully updated email from [email protected] to [email protected] 2025-02-10 01:07:00 123abc ItemPurchase User successfully purchased item1 for $500.00 2025-02-10 01:08:00 123abc ItemPurchase User failed to purchase item2 for $200.00 (insufficient funds) 2025-02-10 01:09:00 123abc LogOut User logged out successfully   Given that each action will have different fields, what's the best way to approach this, given that there could be about 50 different events (possibly more in the future).  I was initially thinking this can be done using a series of case statements, like the one below.  However, this approach doesn't seem too scalable or maintainable given the number of events and possible fields for each one: eval EventDescription=case(EventId="LogIn", case(Status="Success", "User successfully logged in from IP ".IpAddress." (Location)", 1=1, "User failed to login"), EventId="Logout......etc I was also thinking of using a macro to extract the field and compose an EventDescription, which would be easier to maintain since the code for each Action would be isolated, but I don't think execution 50 macros in one search is the best way to go.  Is there a better way to do this?  Thanks! ... View more

Hi I'm wondering if it's possible to define and execute a macro from a lookup.  I have an index with several (about 50) user actions, which aren't named in a user friendly manner.  Additionally, each action has different fields, which I'd like to extract using inline rex queries.  In short, I'd like a table with the following: Time UserName Message 10:00 a.m. JohnDoe This is action1.  Details for action1. 10:01 a.m. JohnDoe This is action2.  Details for action2. 10:02 a.m.  JohnDoe This is action3.  Details for action3.   I know can define a friendly name for the action using a lookup.  I can also do the rex field extractions and compose a details field using a macro for each action.  However, is there a way to also rex the fields and define the details in a lookup?   I was thinking of creating a lookup like this: Action FriendlyDescription MacroDefinition action1 "This is action1" | rex to extract fields for action1 | eval for Details for action1 action2 "This is action2" | rex to extract fields for action2 | eval for Details for action2 action3 "This is action3" | rex to extract fields for action3 | eval for Details for action3   I was thinking about something like this:   index=MyIndex source=MySource | lookup MyLookup.csv ActionId OUTPUT FriendlyDescription, MacroDefinition `code to execute MacroDefinition` |table _time, UserName, FriendlyDescription, Details for action   I'm not sure if i'm barking up the wrong tree, but the reason I'd like to do this in one place (a lookup) instead of 50 different macro definitions.  It'd be neat to have all the code in one place. Thanks!             ... View more

Hi, does anyone know if it's possible to replace the hard coded javaHome key in db_connect's dbx_settings.conf file with the java_home environment variable in Windows?   I have an auto patching set-up in a Windows Splunk heavy forwarder, and every time Java gets upgraded, it crashes the Splunk service.   For example, I'd like to replace this: javaHome = C:\Program Files\java\jdk-17.0.11.9-hotspot With this: javaHome=%java_home%   The above syntax doesn't work, although I'm not sure if it's a syntax or functionality issue. Thanks! ... View more

Hi, I'm having an issue where my Splunk audit.log from the UF is not being forwarded to my Splunk Cloud instance. My environment is as follows: 1x Universal Forwarder -> 2x Intermediate Forwarder -> 4x Cloud Indexers My default\outputs.conf is as follows: forwardedindex.0.whitelist = .* forwardedindex.1.blacklist = _.* forwardedindex.2.whitelist = (_audit|_internal|_introspection|_telemetry) forwardedindex.filter.disable = false indexAndForward = false My local/outputs.conf is as follows: [tcpout:default-autolb-group] server = my ip's here forwardedindex.filter.disable = true forwardedindex.2.whitelist = (_audit) I ran the splunk.exe list monitor command and it shows the file being monitored, however, i don't see the logs showing up in my _audit log in the cloud. Is that the right index the audit.log should appear in? I even tried to set up a separate inputs entry to monitor that file to no avail. Any thoughts on how I could troubleshoot this issue? ... View more