Good question. Since Forwarder 9.0, the "least privilege mode" (run Splunk service as NON ROOT) is by default enabled, whereas Enterprise does not have such feature(yet?). Previously Forwarder and Enterprise share same account `splunk`, so Forwarder creates a dedicated user `splunkfwd` since 9.0 to prevent user permission conflicts. Today it's very popular to install the Forwarder & Enterprise on the same instance - Install Forwarder in the base image(so that all dockerized instances are monitored by default) to monitor the platform internal metrics such as CPU, Memory, network resources, system files, etc, and install Enterprise to ingest data from external resources, or host indexing/search.  So this is just a default account change, just like the default user changed from LocalSystem to Virtual Account on Windows since Forwarder 9.1, as a security improvement.   ... View more

When you add a parameter thru UI, AoB will do following things for you: Add the parameter definition in /README/inputs.conf.spec Add the default value in /default/inputs.conf Add the parameter in custom REST endpoint to operate this value thru Splunk REST API Update Addon UI Update AoB internal metadata If we want to add one parameter without AoB, please follow Splunk doc to create modular input manually. If we still want to use AoB to read/write this parameter in Python code, please do #1,2,3 manually. But basically this hack approach is not officially supported by AoB. We can try it but not guaranteed it's gonna work. Personal speaking, add this optional parameter via AoB UI with a default value is not harmful. If you really want to hide it from Addon UI, you can try to add it first, and then update Addon frontend code to remove it. That could be an easier approach. ... View more

I fixed a bug about "carriage return" on Windows, which corrupts the chunk buffer. I guess it's related. Please try DBX 3.3.1, or insert following codes to {DBConnect}/bin/dbxquery_bridge.py: added Python3 support. def read_from_dbxquery_server_write_to_stdout(self): # DBX-4889, in windows, text mode stdout write will generate one more # carrige return '\r' which corrupts the data. if sys.platform == "win32": if sys.version_info[0] < 3: # Python 2 import os import msvcrt msvcrt.setmode(sys.stdout.fileno(), os.O_BINARY) else: # Python 3 sys.stdout = stdout = open(sys.__stdout__.fileno(), mode=sys.__stdout__.mode, buffering=1, encoding=sys.__stdout__.encoding, errors=sys.__stdout__.errors, newline='\n', closefd=False)   ... View more

Please see my comments https://community.splunk.com/t5/Getting-Data-In/Splunk-DB-Connect-ERROR-io-dropwizard-jersey-errors/m-p/510607 ... View more

Basically this error is about the chunk processor, which is the communication protocol between DBX and search app. Since you mentioned other searches work well, I guess the root cause is about the column names: either some special characters, or non-utf8 chars. Most likely it's the later. May I ask your DBX version? We fixed a bug of  DBX 3.3.1 about the utf8 support.  ... View more

Did you run this in search app? If yes, please check errors in search.log by inspecting search job. Thanks. ... View more

Usually it's caused by incorrect credentials or JVM options. Please try to login with other DB clients. If it's still not working, please contact Splunk support and provide diag. Thanks. ... View more

This is a bug of log message we already fixed but not released yet. But basically sth wrong about this connection. Please see https://community.splunk.com/t5/Getting-Data-In/Splunk-DB-Connect-ERROR-io-dropwizard-jersey-errors/m-p/510607 ... View more

Any error logs from splunkd or dbx_server? Most likely it's the problems of dbxquery. What's your DBX version? Is this upgraded from DBX 3.2 or previous? What's the charset of your DB? ... View more

Please use "hostname" or "myhost" instead of "host" which is a Splunk reserved parameter. Also please make sure the internal name you created is unique in UI ... View more

You can customize this function in python code def validate_input(helper, definition): """Implement your own validation logic to validate the input stanza configurations""" # This example accesses the modular input variable # text = definition.parameters.get('text', None) pass ... View more

ServiceNow Addon is built by Add-on Builder? Oh I don't know that. Basically we may need to do sth manually, for example, install this addon on all SH, sync some conf files and KVStore cross all SH, etc. May I ask what's the error you found from browser console and backend logs? ... View more

Unfortunately current Add-on Builder or Addons built by Add-on Builder cannot support Splunk Cluster. Maybe we will support it in future release ... View more

Sorry currently we only support seconds as an interval. May add cron support in future release. ... View more

Did this alarmfoundat in inputs.conf.spec? How did you add this parameter in AoB UI? ... View more

Do you mean you exported one addon, and then imported to another Addon Builder? What's the Splunk version and error message? ... View more

Do you have exact same configurations as I posted? If yes, that's a bug. Please join slack channel add-on-builder in splunk-usergroups workspace, then we can have a live talk. Thanks. ... View more

From image https://docs.splunk.com/File:AddonBuilder2.1_REST1.png, there is a parameter begin_date which is similar to your request. However, there is no functions such as get_current_date in REST based modular input. We need to create a Python input with some Python functions to do that. ... View more

Currently Add-on Builder REST input can only send ONE request. Please use Python input which is able to do anything you want. There are many helper functions to help you to send REST request by one line of code. You can try to create one and see some code templates in AoB UI. ... View more