@harsmarvania57  I found your solution more relevant to my case. I need to renew the RSA password; is it possible to change RSA password during server.pem renewal? ... View more

You're very close. Can you give this section of the documents a read and let me know if it answers your question? http://docs.splunk.com/Documentation/Splunk/6.2.0/Data/HowSplunkextractstimestamps Not just this page im linking to, but if you look on the left side there are several more sections covered under the "Configure Timestamps" section. Others like this gem in the rough: http://docs.splunk.com/Documentation/Splunk/6.2.0/Data/Applytimezoneoffsetstotimestamps ... View more

Open a support case, this the community forum and you cannot expect your support request will been seen by support. Learn here http://docs.splunk.com/Documentation/Splunk/6.2.6/Troubleshooting/HowtofileagreatSupportcase how to file a great support case.. cheers, MuS ... View more

Hi, I am now looking for the same thing like you did a long time ago. I want to find out which hosts have been added to Splunk in 2016, just to do a documentation of our data onboarding process. My idea was something like this: | metadata type=sourcetypes |convert ctime(firstTime) AS input_time |convert ctime(lastTime) AS last_event_time |where firstTime>1451606400 AND firstTime<1483228800 Is the metadata affected by the retention policy of an index? For example retention time is set to 180days so firstTime will not be older than 180d max? I checked this, some sourcetypes have events that are older than 2015. But the oldest/earliest event of sourcetype=opsec is just 10 days ago but we did the data input at the beginning of 2016. Are there some reasons why |metadata would not work always? ... View more