I suppose you unpacked and re-packed the TA on a windows box. That's typical for windows to mess up with unix permissions so it's not a good idea to - for example - run windows-based deployment server for unix clients. Anyway, instead of editing files within the app (I hope you edited the local/ files, not the default/ ones) you can create an app with configs overwriting settings from the app. This way it might be more manageable.

Hi Here are some good articles about upgrading splunk: https://lantern.splunk.com/Splunk_Platform/Product_Tips/Upgrades_and_Migration/Upgrading_the_Splunk_platform https://community.splunk.com/t5/Installation/What-s-the-order-of-operations-for-upgrading-Splunk-Enterprise/td-p/408003 r. Ismo

Hi @claudiaG , probably my hint will not cover your requisite, but using a search with three joins, you'll wait for hours. Did you tried to correlate events using stats? see my approach and try to adapt it to your Use Case, remembering that Splunk isn't a DB. something like this: index=A | rename Name as TargetName | bin span=1w@w0 _time | stats values(Status) AS Status dc(Status) AS Status_count values(SourceID) AS SourceID values(type) AS type BY TargetID _time | eval state=case( Status_count=1, Status, match(status,"Done") OR match(status,"Pending"), "Link + State is there", NOT match(status,"Done") OR NOT match(status,"Pending"), "State is missing", 1=1, "No Lynk") | timechart span=1w@w0 count by state Ciao. Giuseppe

Hi @sbollam , you have to create three cascade dropdown list, concatenated uing the tokens of the previous ones, something like this: <fieldset submitButton="false"> <input type="dropdown" token="application"> <label>Application</label> <choice value="*">All</choice> <default>*</default> <fieldForLabel>Application</fieldForLabel> <fieldForValue>Application</fieldForValue> <search> <query> | inputlookup my_lookup.csv | dedup Application | sort Application | table Application </query> <earliest>-24h@h</earliest> <latest>now</latest> </search> </input> <input type="dropdown" token="environment"> <label>Environment</label> <choice value="*">All</choice> <default>*</default> <fieldForLabel>Environment</fieldForLabel> <fieldForValue>Environment</fieldForValue> <search> <query> | inputlookup my_lookup.csv WHERE Application=$application$ | dedup Environment | sort Environment | table Environment </query> <earliest>-24h@h</earliest> <latest>now</latest> </search> </input> <input type="dropdown" token="index"> <label>index</label> <choice value="*">All</choice> <default>*</default> <fieldForLabel>index</fieldForLabel> <fieldForValue>index</fieldForValue> <search> <query> | inputlookup my_lookup.csv WHERE Application=$application$ AND index=$index$ | dedup index | sort index | table index </query> <earliest>-24h@h</earliest> <latest>now</latest> </search> </input> </fieldset> Ciao. Giuseppe

Hi @yuanliu ,    Sorry for the mistake!    `macros1(`$macros2$`,  now(), -15d@d, *, virus, *, *, *)` The values to be passed in macros2 is multiselect, I get error if i passed two values at a time, because each values passed is an individual macros which has different search in it. I need OR condition to be performed on that case. Thanks in Advance! Manoj Kumar S    

Hi @bwhite , good for you, see next time! let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors

Hi Team, We installed the splunk with version 8.0.4 from scratch and created the clusterlogging and clusterlogforwarder instance with vector pointing to splunk vm. Still we are unable to see the logs in the dashboard even sample logs are also not visible in the dashboard.   Regards, Guru Sairam

Thanks for the reply. I did finally get back to this issue. I checked and noticed that the execute permissions were missing from the scripts as you mentioned. rw-rw-rw- Adding those permissions helped but something else was still missing that I never found. I finally solved it by downloading it directly to the server and expanding it there instead of downloading it and unzipping it on my machine first. Everything magically started working. Hope that helps, Brad.

The upgrade sequence is Managers, Search Heads, Indexers, Forwarders.  Each layer must be at the same or higher version than the next layer.  Note that you may have to go through the sequence a few times to get everything up to the newest version while honoring step levels.

Thanks @richgalloway I'm aware that best practice is indexers are same or later than forwarders (https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwjR1urKjfmBAxV3l2oFHZgqAmAQFnoECBsQAQ&url=https%3A%2F%2Fdocs.splunk.com%2FDocumentation%2FVersionCompatibility%2Fcurrent%2FMatrix%2FCompatibilitybetweenforwardersandindexers&usg=AOvVaw1VxTlqkTc48Sr-quUpc-0s&opi=89978449)   While I won't leave it this way, would that mean I could leave forwarders at 6.6 while I do the upgrades on the indexers (to 9.1.1) in my environment?  And then when I have time I'll upgrade the forwarders?  I had in my mind that I would have to upgrade forwarders incrementally while I upgrade the indexer, but seems like that isn't the case.