It gives the same error when upgrading from Splunk UF 7.1 to Splunk UF 9.0 on windows server 2012 R2. Error 1316. The specified account already exists The mcafee link is broken so cannot see the resolution. Could someone share what registry should I look for and remove it?

Splunk always renders the time (either when you explicitly call strftime() or when it displays the _time field) according to the user's timezone set in preferences for said user. There is no way to specify another timezone for time display. The only way you can try to "cheat the system" is to add an artificial offset to the timestamp and pretend it's rendered in another timezone but it's an ugly and a bit unreliable solution.

1. What do you mean by event_time? 2. What is _time assigned from in your sourcetypes? 3. Are your sources properly configured (time synchronized, properly set timezones)? Generally speaking - are your sources properly onboarded or afe you just ingesting "something"?

My assumption is that we are stripping off HH:MM:SS from the original value of Date, but we still want the final results to be in a formatted %m/%d/%Y. Hard to say for sure without seeing the original dataset.

We're not talking about raising a case with support. We're talking about reaching out to your sales contact. BTW, I don't recall there being an offering with completely no support. BTW2, this is not a "support substitute".

Thanks, this actually is close with some tweaking but I still cant get around the fact that after the transpose, I want it show the latest 12... Transpose 25 for example will get me the first 25 dates left to right and I want the last 12 right to left if that makes sense?    I could do Transpose with no integer to show everything, but then that would be an extremely wide table as this data grows over time on a weekly basis we get a new date, and on those dates we are trying to show number of sats per team for all teams on that date.

From the looks of the screenshot it appears that event_time probably isn't in epoch format so the diff isn't being properly evaluated.  How does it look when you try this? index=notable | eval event_epoch=if( NOT isnum(event_time), strptime(event_time, "%m/%d/%Y %H:%M:%S"), 'event_time' ), orig_epoch=if( NOT isnum(orig_time), strptime(orig_time, "%m/%d/%Y %H:%M:%S"), 'orig_time' ) | eval event_epoch_standardized=coalesce(event_epoch, orig_epoch), diff_seconds='_time'-'event_epoch_standardized', diff=tostring(diff_seconds, "duration") | table _time, search_name, event_time, diff  

A props.conf for these extractions would look like this. [<sourcetype_name>] EXTRACT-log_level_and_type = \[TID\:(?<tid>[^\]]+)\]\s+(?<log_level>[A-Z]+)\s+(?<log_type>[^\s]+) EXTRACT-cid = \[CID\:(?<cid>[^\]]+)\] EXTRACT-message = [A-Z]+\s+\w+(?:\.\w+)*\s+\-\s+(?<message>.*)\s+\-\s+\( EXTRACT-user = user\s+\'(?<user>[^\']+)\' EXTRACT-client_ip = client\s+(?<client>\d{1,3}(?:\.\d{1,3}){3})\:(?<port>\d+) EXTRACT-cannot_open_service_error = (?i)cannot\s+open\s+(?<service>[^\s]+)\s+service\s+on\s+computer\s+\'(?<computer>[^\']+)\' EXTRACT-unable_to_connect_to_host_exception = (?i)\s+\-\s+(?<app>.*?)\s+unable\s+to\s+connect\s+to\s+(?<hostname>[^\s]+)\s+with\s+exception\s+(?<exception_type>[^\:]+)\:\s+(?<exception_message>.*) EXTRACT-retrieving_class_failed_due_to_error = (?i)\s+\-\s+retrieving\s+the\s+(?<class>[^\s]+)\s+class\s+factory\s+for\s+remote\s+component\s+with\s+clsid\s+\{(?<clsid>[^\}]+)\}\s+from\s+machine\s+(?<hostname>[^\s]+)\s+failed\s+due\s+to\s+the\s+following\s+error\:\s+(?<error_code>[^\s]+) EXTRACT-exception_messages = (?i)(?<exception_type>\w+(\.\w+)*exception)\:\s+(?<exception_message>.*) EXTRACT-error_codes = (?i)due\s+to\s+error\s+(?<error_code>[^\s]+)  And the accompanying default.meta something like this (depending on your desired permissions) [props] access = read : [ * ], write : [ admin, power ] export = system

Thank you everyone for the information and help! We are a non-profit organization and don't have a support entitlement. This is why I'm posting here ))). I will contact the support team to see if they will provide a reset license.