Hi @mbadhusha_splunk Above is very useful - though i have a similar problem with some lookups. How is removable attribute set for lookups since they're all under the same lookups directory (no default/local)? When i check | rest /servicesNS/-/-/data/lookup-table-files For two lookup in the same app, I see all the attributes are the same except for eai:acl.can_share_user and eai:acl.removable (both set to 0 vs both set to 1) ... View more

Great, you welcome 🙂 ... View more

Are you sure about that? If you add disabled to the list of fields, you should see that all the searches in the table have disabled set to 1. ... View more

Since you are looking at searches that used to be scheduled I would suggest looking at last time it was run using the Splunk scheduler logs: | rest splunk_server=local /servicesNS/-/-/saved/searches | search disabled=1 is_scheduled=1 | fields title eai:acl.owner eai:acl.app eai:acl.sharing | join title type=left [ search index=_internal sourcetype=scheduler | stats max(_time) as last_time by savedsearch_name | convert ctime(last_time) | rename savedsearch_name as title | fields title last_time] | rename title AS "search name" eai:acl.owner AS owner eai:acl.app AS app eai:acl.sharing AS sharing last_time as "last time" Note: You won't be able to get last time it was run if it was longest time ago than the _internal index retention time. ... View more

I have converted my comment to an answer. Could you please accept it to close the question? Happy Splunking (: ... View more

Could you check your browser console for errors? ... View more

Hi @sjafferali, Did you move a copy of the js and css files to your own app as well - or just the XML? ... View more

Try sort - Date ... View more

Strange, the saved search should have been replicated across the cluster - unless your created it by editing manually savedsearches.conf on one of the search head? ... View more

Does the search you are trying to run have private permissions? ... View more

Converted my command to an answer, Could you please accept it to close the question? ... View more

17:03 is 5PM so that would be 5 hours behind GMT 🙂 ... View more

An example of regex extraction that would work with the example string you provided: | rex field=user "::\((?P<first_name>[^\)]+)\)\.\((?P<surname>[^\)]+)\)" ... View more

Hey, can you run python -c 'import sys; print sys.path' and check if the SDK path appears in there? I believe you need to restart your Windows machine for the new environment variable to appear. ... View more

Not 100% sure what you're willing to accomplish, but could you try the following eventually? index=mcafee:web gateway | lookup second_lookup url OUTPUT domain | stats count by usrName, time_taken, httpStatus, method, dstIP, urlCategories, domain ... View more

You specified search app context in your API endpoint, are you sure the search is visible in that context? ... View more

Also, worth saying that your filter >= 100000 does not seem to work because Aurangabad is in the results and has 79,393 inhabitants. You will have to create a calculated field to remediate that. ... View more

Splunk does edit these values but it's because it's encrypting them after you enter them manually usually. ... View more

Well i think it's the best shot you have. It depends how big your indexes are i guess? You could try and just stop the job if it hangs for too long. ... View more

Could you try to add quotes around FileType field values and run the job in smart mode? ... View more