Are you using Add-on Builder 2.0? In 2.0, the Add-on Builder leverages Single Instance mode by default. This basically means the mod input script is called once for ALL the inputs. This means ALL configurations for the input are provided to the script from the helper functions, as a dictionary. Here is the code I'm now using to work that way. Since it checks for whether or not helper returns a dictionary, the code works in both test mode (returns single value) and for configured inputs (returns a dictionary). def collect_events(helper, inputs, ew): """Implement your data collection logic here""" stanzas = helper.input_stanzas for stanza_name in stanzas: opt_access_token = helper.get_arg('access_token') if type(opt_access_token)==dict: opt_access_toke​n = opt_access_token[stanza_name] # ALL the other pre-tasks, API querying, && event writing ... View more

If I understand correctly, one way would be to use the stats to get min & max per server and then use eval command to calculate total transactions for each. Example: ... | stats min(ID_Number) as min_id max(ID_Number) as max_id by server | eval num_transactions = max_id - min_id | table server num_transactions ... View more

rpille is right about which Splunk instances the TA should reside. Yet the props you've defined on the search head is an input phase configuration. Since the search head is not involved in the input, that configuration is ignored. The source type update via props.conf needs to take place on the heavy forwarder and be scoped to a source because parsing phase configurations with a sourcetype setting must be scoped to a source. [source::tcp:514] sourcetype = cisco:esa:textmail This extra props may be skipped by updating the local inputs.conf on the heavy forwarder (to set source type further upstream) [tcp://514] sourcetype = cisco:esa:textmail ... View more