@Rakzskull  Splunk manages the archival storage in DDAA, and you don’t have direct access to the underlying S3 buckets. To export archived data: Open a support ticket with Splunk. ... View more

+1 on thay. Generally you should avoid putting anything in system/local. Those settings have the highest priority and cannot be overriden by apps (with an exception for indexer cluster apps pushed from manager into peer-apps so you cannot manage those settings easily without physically touching the server. ... View more

Hi @Rakzskull, I’m a Community Moderator in the Splunk Community. This question was posted 6 years ago, so it might not get the attention you need for your question to be answered. We recommend that you post a new question so that your issue can get the  visibility it deserves. To increase your chances of getting help from the community, follow these guidelines in the Splunk Answers User Manual when creating your post. Thank you!  ... View more

"Name or service not known" means that you've typed in some address that your SH cannot properly resolve. Either you've made some typo or you have problems with DNS. ... View more

After upgrade 9.2.0. splunk app for AWS  got the same error "A custom JavaScript error caused an issue loading your dashboard. See the developer console for more details.".  Unable to open dashboard.  While seeing the  developer console, below error shwoing. How to bring it back.      ... View more

@rivars  You are a lifesaver! 🙂  ... View more

The solution described is achievable, although perhaps not desirable! It might take a bit of effort, but once done, it might give you the control you require. Having said that, I don't think there is a master switch to stop all alerts, although perhaps you could write a script to send a ReST command to disable each of the alerts (I am not sure if that's even possible though). You would need another script to re-enable the alerts of course. You still haven't answered the fundamental question of how you tell Splunk that there is a maintenance period. For example, some people use a lookup file with dates and time of maintenance periods, and the alerts all check whether a maintenance period is currently active and take appropriate action. Depending on your overall alerting architecture, you may be able to take maintenance periods into account further downstream, e.g. if your alerts are integrated with Service Now, you may be able to suppress alert actions during maintenance periods. ... View more

For rex, you need anchors. I have assumed the end of the event will act as the anchor. \[(?<lang>[^\]]+)\]\s\[(?<os>[^\]]+)\]\s\[(?<version>[^\]]+)\]\s?$ If this doesn't work, you will have to share your actual events (anonymised of course), preferably in a code block </> similar to above, so that formatting is preserved ... View more

Hi @Rakzskull, no as me and @isoutamo said in deploymentclient.conf there's the address of the Deployment Server, the server with the role to manage forwarders, instead in outputs.conf there's the address of Indexers or Heavy Forwarders that muste receive logs from the UF. They can be the same server in labs or little infrastructure, nevere in medium or big deployments, because in this case both Indexers and Deployment Server must be in dedicated servers, so they have diferent IPs. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors 😉 ... View more

If you know the order of ABC1 and ABC2 and you only want events where both start with a character outside the range then you could try index=* sourcetype=XYZ "<ABC2>" "<ABC1>" | regex _raw="<ABC1>[^\x00-\x7F].+<ABC2>[^\x00-\x7F]" If you need either order, you could try index=* sourcetype=XYZ "<ABC2>" "<ABC1>" | regex _raw="(<ABC1>[^\x00-\x7F].+<ABC2>[^\x00-\x7F]|<ABC2>[^\x00-\x7F].+<ABC1>[^\x00-\x7F])"  Or if you want events where either start with a character outside the range index=* sourcetype=XYZ "<ABC2>" "<ABC1>" | regex _raw="(<ABC1>[^\x00-\x7F]|<ABC2>[^\x00-\x7F])" ... View more

Hi @Rakzskull, if you don't know how to create a lookup I hint to follow the Splunk Search Tutorial (https://docs.splunk.com/Documentation/Splunk/9.0.1/SearchTutorial/WelcometotheSearchTutorial) Anyway, you have to: go in [Settings -- Lookup -- Lookup table files -- Lookup table files] and create the lookup with one column and one row go in [Settings -- Lookup -- Lookup table files -- Lookup definitions] and create a definition for the lookup Ciao. Giuseppe   ... View more