We build our own app that only works in Python 3. I would like to know how to force Splunk to use python 3 for this app. We don't want to ask users to change the system wide setting in server.conf. The app adds a new input form to Splunk under local inputs. Below is the error i`m getting. "Unable to initialize modular input "appname" defined in the app "appname": Introspecting scheme=appApi: script running failed (exited with code 1).." I tried adding python.version = python3 in inputs.conf, app.conf and props.conf but that does not fix it. Any idea how to fix this? or can it only be fixed by making the script compatible with python2? ... View more

Hi, I have 2 indexes. measurements - list of all measurements ( _time, transactionId, transTime, resultStatus) incidents - list of incidents ( _time, transactionId, incidentId, startTime, endTime, valid, checked, comment) _time in the incidents table is the time that the incident is inserted into Splunk. i would like to check for each measurement if it was between the startTime and endTime of a valid incident on that transaction and add a field "availability" with 0 if it was in an incident and 1 if it was not to each measurement. i tried things with map command and join but i cant find the right approach. please help:) thanks! ... View more