Hi @mbadhusha_splunk
Above is very useful - though i have a similar problem with some lookups.
How is removable attribute set for lookups since they're all under the same lookups directory (no default/local)?
When i check
| rest /servicesNS/-/-/data/lookup-table-files
For two lookup in the same app, I see all the attributes are the same except for eai:acl.can_share_user and eai:acl.removable (both set to 0 vs both set to 1)
... View more
You can enable/disable rule with the API:
Example with curl:
curl -k -u admin https://<host>:<mgmt_port>/servicesNS/<user_context>/<app_context>/saved/searches/<search>/disable -X POST
Replace disable with enable to enable.
... View more
Are you sure about that?
If you add disabled to the list of fields, you should see that all the searches in the table have disabled set to 1.
... View more
Since you are looking at searches that used to be scheduled I would suggest looking at last time it was run using the Splunk scheduler logs:
| rest splunk_server=local /servicesNS/-/-/saved/searches
| search disabled=1 is_scheduled=1
| fields title eai:acl.owner eai:acl.app eai:acl.sharing
| join title type=left [ search index=_internal sourcetype=scheduler | stats max(_time) as last_time by savedsearch_name | convert ctime(last_time) | rename savedsearch_name as title | fields title last_time]
| rename title AS "search name" eai:acl.owner AS owner eai:acl.app AS app eai:acl.sharing AS sharing last_time as "last time"
Note:
You won't be able to get last time it was run if it was longest time ago than the _internal index retention time.
... View more
Could you try to bump your server to force splunk to reload javascript files:
Go to your_server:8000/en-US/_bump and press bump then try reloading your dashboard
... View more
Strange, the saved search should have been replicated across the cluster - unless your created it by editing manually savedsearches.conf on one of the search head?
... View more
1520287380 is March 5, 2018 10:03:00 PM GMT
Splunk assumes that myDate's timezone is the one you indicated in your account settings before converting to epoch.
If you do, the following, you will see epoch match the date because you specified GMT timezone
| gentimes start=-1 | eval myDate="3/5/2018 17:03 +0000"
| convert timeformat="%m/%d/%Y %H:%M %z" mktime(myDate) as epoch
| table epoch
... View more
An example of regex extraction that would work with the example string you provided:
| rex field=user "::\((?P<first_name>[^\)]+)\)\.\((?P<surname>[^\)]+)\)"
... View more
Hey,
can you run python -c 'import sys; print sys.path' and check if the SDK path appears in there?
I believe you need to restart your Windows machine for the new environment variable to appear.
... View more
Not 100% sure what you're willing to accomplish, but could you try the following eventually?
index=mcafee:web gateway
| lookup second_lookup url OUTPUT domain
| stats count by usrName, time_taken, httpStatus, method, dstIP, urlCategories, domain
... View more
splunklib.client is part of the Splunk Python SDK.
Did you follow the guide for installation of the SDK (http://dev.splunk.com/view/python-sdk/SP-CAAAEDG)?
It seems like your PYTHONPATH environment variable is not set properly, causing import statement to fail.
... View more