When I try to disable the Deployment Monitor from the Manager, I get the following error: Error occurred attempting to disable SplunkDeploymentMonitor: In handler 'localapps': Cannot update application info: /nobody/SplunkDeploymentMonitor/app/install/state = disabled: Could not flush changes to disk: /nobody/system: ConfPathMapper: /apps/splunk/etc/apps/SplunkDeploymentMonitor/local. I'm sure that I could disable it from the conf files and then restart, but what does this mean? I'm running Splunk 4.2.4 on RH Linux. ... View more

We are trying to run a report that groups data by the UTC date of events occur. Our Heavy forwarders collect the data from different regions and correctly set the TZ field according to the time fields from the source data. We can tell that this is correct, because the value of the _time field is the epoch time of the events in UTC. When we run the report, we use strftime(_time, "%Y-%m-%d") to get the date that the event occurred. The problem is that this appears to be reporting the date according to the local representation of the indexer. We know this, because if we add %z to the time format it shows different timezones for each indexer. If we add a map function like "stats" to the command prior to computing the strftime we get the timezone of the search head. What we want to do is to create a string that represent the UTC date of the event regardless of what timezone the indexer or search head is running on. Since this is a very common scenario for us, is there a configuration setting or search function that can ensure that UTC time is used to render the date? ... View more

Does anyone know of a Windows port of Bonnie++, or another benchmarking tool that provides the same information on IOPS for random seeks? ... View more