Well, yeah, I understand how I can convert the time from epoch, but I am trying to do this inside of a workflow action.  Someone searches "index=firewall", and then they click on "Event Actions" to click on the workflow action.  How does the time get converted through that mechanism?

I know of one file we have (multifix.js) We use it to modify the behavior of multi-select filters. /************************************************************************************* Multiselect Behavior Modification multifix.js v0.2 Automatically removes 'All' option in multiselect fields when a value is selected and remove individual values when 'All' is re-selected. Any multiselect with an CSS id of multi_1 - multi_15 will function in this way if the script is included or the app's dashboard.js or directly. *************************************************************************************/ require(['splunkjs/mvc', 'splunkjs/mvc/simplexml/ready!'], function (mvc) { $(document).ready(function () { var selection = []; for (var i = 1; i < 16; i++) { multiFixer('multi_' + i); } function multiFixer(fieldId) { var multi = splunkjs.mvc.Components.getInstance(fieldId); if (typeof multi !== 'undefined' && multi !== 'undefined') { multi.on('change', function () { selection = multi.val(); if (selection.length > 1 && ~selection.indexOf('*')) { if (selection.indexOf('*') == 0) { selection.splice(selection.indexOf('*'), 1); multi.val(selection); multi.render(); } else { multi.val('*'); multi.render(); } } }); } } }); });  

@andrewtrobec  Are you sure all power user has the same issue or only a specific user, please check that. If only this user is having this issue, there is a great deal of chance that the user has navigation in his/her etc/user/local folder. Which is overriding what the App's default navigation. If all power user is having this issue, then you may have changes some capability for roles in your environment..   I hope this helps!!!

@anandhalagaras1 - Run the query like this: <your index, sourcetype search> earliest=0 latest=now <your_search> | eval Timestamp=strptime(Timestamp,"%Y-%m-%dT%H:%M:%S.%6N%:z") | addinfo | where Timestamp>=info_min_time AND Timestamp<=info_max_time   With this query, you can change the timerange from UI to apply on search directly.   Performance Hint: This query will be run on "All Time" as the earliest and latest suggest in the first line of the query, you can twick it for dashboard to improve performance of the query.   I hope this helps!!!

@jianzgao - I think you are using C# SDK for Splunk. Splunk has made that SDK deprecated - https://github.com/splunk/splunk-sdk-csharp-pcl I would recommend using either Python SDK (https://github.com/splunk/splunk-sdk-python ) or Java SDK (https://github.com/splunk/splunk-sdk-java ) or Javascript SDK (https://github.com/splunk/splunk-sdk-javascript )   I hope this helps!!!

@sh254087 - You shouldn't be doing sslVerifyServerCert false.   Ideally, if you have a custom CA cert added to your Splunk machine, you should be adding appsCA.pem file content at the end of your CA cert file, to avoid SSL-related errors on the App installation page.   Though, this error seems to be more like a slow connection speed with Splunkbase on the Splunk machine.   I hope this helps!!!

@BEN_ - While this covers much of what you are trying to find. It's important to keep in mind that this would not cover all the scenarios. Some example queries would not be covered by the query. index IN (murex_metrics) index=* index=murex* etc  

Hi bowesmana, Yes you are right. The query is working fine for both event and Metrics indexes. the problem was at level of the search filter. I found that the search in the dashboard contains ""  {... WHERE "index"="murex_metrics" AND ... } this explains why the filter in my search "eai:data"="*index=murex_metrics*" didn't return any data. Thanks again