Upgrade to Splunk 8.2 from 7.3 we must install 8.1 first before 8.2. So is it okay to run the rpm -U for 8.1 and then 8.2 right after 8.1 finishes or should we wait until the entire 8.1 environment has been running for a few days?  Any suggestions would be greatly appreciated. 

I am trying to create a dashboard that contains a textbox. When a ticket reference is given to the textbox and a user clicks submit, a search is run in the background that appends the ticket information to a kvstore. This is my dashboard -   <form script="run_action.js"> <label>QA Manual Submission</label> <description>A dashboard that allows for the manual submission of QA Samples.</description> <fieldset submitButton="false"></fieldset> <row> <panel> <input type="text" token="tokRef" searchWhenChanged="true"> <label>Ticket Reference</label> <default>[Letter][number]_SOC</default> <initialValue>[Letter][number]_SOC</initialValue> </input> <html> <p>Click "Add to QA" to manually add the ticket number to the QA App</p> <button class="btn btn-primary button1">Add to QA</button> </html> </panel> </row> </form>   This is javascript I am using -   require([ "jquery", "splunkjs/mvc", "splunkjs/mvc/searchmanager", "splunkjs/mvc/tableview", "splunkjs/mvc/textinputview", "splunkjs/mvc/simplexml/ready!" ],function( mvc, $, SearchManager, TableView, TextInputView ) { //debug testing console.log("I get this far!"); //Add after some research on Splunk Anwsers. Since removed. //var SearchManager = require("splunkjs/mvc"); //var SearchManager = require("splunkjs/mvc/searchmanager"); //var TextInputView = require("splunkjs/mvc/textinputview"); //var TableView = require("splunkjs/mvc/tableview"); //var $ = require("jquery"); var mysearch = new SearchManager({ id: "mysearch", autostart: "false", search: mvc.tokenSafe("| jira jqlsearch \"project IN projectMatch(\\\".+_SOC.+\\\") AND assignee was in(membersOf(\"GG_JIRA_Filter\")) AND status=Closed AND created >= startOfMonth()\" fields \"project,summary,status,resolution,resolutiondate,updated,created,issuetype,assignee\" \r\n| table Summary, Key, \"Issue Type\", Resolution, Assignee, Resolved, Created, \"QA Commentary\", \"QA By\", \"Perceived Ticket Quality\", \"QA Pass\/Fail\"\r\n| rename Key as Ticket_Ref, \"Issue Type\" As Issue_Type\r\n| rex field=Resolved \"(?<date>\\d{4}\\-\\d{2}\\-\\d{2})T(?<time>\\d{2}:\\d{2}:\\d{2})\" \r\n| eval extracted_time=date+\" \"+time \r\n| eval Resolved=strptime(extracted_time,\"%Y-%m-%d %H:%M:%S\") \r\n| eval Resolved=round(Resolved,0) \r\n| rex field=Created \"(?<created_date>\\d{4}\\-\\d{2}\\-\\d{2})T(?<created_time>\\d{2}:\\d{2}:\\d{2})\" \r\n| eval created_extracted_time=created_date+\" \"+created_time \r\n| eval Created=strptime(created_extracted_time,\"%Y-%m-%d %H:%M:%S\") \r\n| eval Created=round(Created,0)\r\n| table Ticket_Ref, Summary, \"Issue_Type\", Resolution, Assignee, Resolved, Created, \"QA Commentary\", \"QA By\", \"Perceived Ticket Quality\", \"QA Pass\/Fail\", \"Manual QA Add\"\r\n| eval \"Manual QAA dd\"=\"True\"\r\n| search Ticket_Ref=$tokRef$\r\n| outputlookup qa_lookup append=True") }); $(".button1").on("click", function (){ var ok = confirm("Are you sure?"); if (ok){ mysearch.startSearch(); alert('attempted restart!'); } //else { // alert('user did not click ok!'); //} }); });   When I try to run the dashboard I get the following errors on the console - Limited knowledge of JS and I've done my best to follow guidance on splunk anwsers. Would appreciate any insight. Many thanks Christopher

My fields have values like, UTR998760071.unot.utrl.accorda.net RANWA80A8881.cnet.utrl.matrixia.net ANNA00A0071.tron.utrl.zimbaw.net BP87DF087071.cnet.trzn.netisha.net I want the fist part of the string to be extracted. The part before the first .(dot) output be like  UTR998760071 RANWA80A8881 ANNA00A0071 BP87DF087071 Not with substr but with a regex preferably. Thank you

Hi all, I'm trying to convert the message body of my events into fields.  The structure of the event message is in a comma delimeted key-value pair format. An example of the structure is: Time Event 10/08/2021 15:09:49.000 Timestamp,10/08/2021 15:09:49,Environment,EUAT,Artefact,ICE,Application,ICE,Domain,ws,Status,RUNNING 10/08/2021 15:09:49.000 Timestamp,10/08/2021 15:09:49,Environment,EUAT,Artefact,ICE,Application,Radiating Whitespaced App,Domain,dc,Status,ERROR 10/08/2021 15:09:49.000 Timestamp,10/08/2021 15:09:49,Environment,DEV,Artefact,MC,Application,MCIO,AppID,4,Hostname,4569erg,Domain,wsdc,Status,STOPPED   Is there a way, through a search query to make every odd value a 'field' and every even value a corresponding 'value' for that field. Therefore, 'Timestamp' would be a field, with it's corresponding value, then 'Environment' would be the next field. The tricky part is that there can be varying lengths of key-value pair strings in the events. For instance, the first row has 6 pairs of key-value pairs, whereas the third row has 8.  Any help would be greatly appreciated!

I have a few lookups created by users they left the organization. We need to remove this lookups since it take large amount of space. Before we remove is there any query we can find out  how many searches using this lookup.