I've installed the v8.2.0 Splunk App for Unix and Linux on my search head per the instructions in the documentation. However, restarting Splunk throws an error of:   Bad regex value: '(?::){0}*', of param: props.conf / [(?::){0}*]; why: this regex is likely to apply to all data and may break summary indexing, among other Splunk features.   This appears to be coming from the {%appdir%}\default\props.conf file:   ## Dropdowns [(?::){0}*] LOOKUP-dropdowns = dropdownsLookup host OUTPUT unix_category unix_group   As a result, the Metrics page in the app is non-functional. Is anyone else having this issue? What did you do resolve it? ... View more

Hi All~ I am trying to build a query to generate a list/table that shows me devices that have not sent in a specific message to be indexed by Splunk in the last 30 hours. I believe I will need to create a subsearch to identify all devices that have communicated with any message in the last 30 days. [ host="Jetstream" earliest=-30d@d | dedup EventId | fields LogicalDeviceId ] The LogicalDeviceId is the unique name for each device being indexed. I want to use that field as the basis for the main search. host="Jetstream" and sourcetype="ObjectEvent" earliest=-30h@h [ subsearch here ] | fields LogicalDeviceId, EventTime For reference, an ObjectEvent looks like: <Jetstream xmlns="http://Jetstream.TersoSolutions.com/v1.0/ObjectEvent"><Header EventId="02d42360-d0df-48f4-aa85-dc5cede9cc4a" EventTime="2011-05-16T05:53:31Z" LogicalDeviceId="10000092" ReceivedTime="2011-05-16T05:57:10Z" /><ObjectEvent><DeviceExtensionList /></ObjectEvent></Jetstream> The resulting list would be those LogicalDeviceIds that have not sent in an ObjectEvent in the last 30 hours. I'm seeing a couple problems. One is obviously speed on the subsearch. Any suggestions how to speed it up? I'm guessing there's a way to do unique on the LogicalDeviceId... The second is I'm not getting any results back. Thanks for the help! ... View more