Hi, Click Format > Chart Overlay > in overlay, click and select field > View as Axis "On" That might give you want you want. ... View more

Hi, I would check your user Preferences timezone. Click your name in the top right > Preferences > Default System Timezone. If you have it set to a timezone, it will convert the time for you. Matt ... View more

Is the cluster in maintenance mode? On the manager indexer run: splunk show maintenance-mode Check to see if any buckets are stuck in fixup tasks? If so, resolve issue. indexer clustering > Indexes > Bucket Status ... View more

Looks like you have a permission issue. Check that your role has the proper read/write to apps. ... View more

Remove these from the inputs.conf source=my_source send_index_as_argument_for_path=false ... View more

I see... you need to make the nmon app global or accessible to those users Click apps > Manage apps > NMON app > Permissions Read/Wright all Make app accessible to users. Are your users able to access the NMON app? If you don't want the app global, the users will only have the knowledge objects available within the NMON app. ... View more

Okay,  just add the nmon index to your user role that needs access.   ... View more

Are you seeing this with Linux systems? I had an issue like this with our Linux logs forwarding to our syslog server. Turned out being an extra space at the end of our syslog outgoing template. After the \n" someone had \n " ... View more

You need to add the nmon indexes to your user roles, or create a new role for the nmon users. Go to: Settings > roles > "your user role" > Indexes tab > "select indexes" You should see the following indexes for the nmon data: os-unix-nmon-config os-unix-nmon-events os-unix-nomon-internal os-unix-nmon-metircs ... View more

I would check the server name on the UF and search what you find in the Forwarder Management on the deployment server. It sounds like everything is working.   Forwarder management > click on your server class > search the server name found on UF To get it to show in the monitoring console: Monitoring console > settings > Forwarder Monitoring Setup > Rebuild Forwarder assets. Hope this helps. Matt ... View more

Try taking that part out and running everything below the eval to convert to string ... View more

| stats count, min(_time) as firstTime, max(_time) as lastTime, max(_indextime) as recentTime, BY x_device.hostname, x_device.last_seen |eval x_devices.last_seen=tostring(x_devices.last_seen) |eval time_format=strftime( x_devices.last_seen, "%Y-%m-%d %H:%M:%S") |eval time_epoch=strptime(time_format, "%Y-%m-%d %H:%M:%S") |eval time_cst=time_epoch-21600 |eval x_devices.last_seen=strftime(time_cst, "%Y-%m-%d %H:%M:%S")   ... View more

If you want to change the time in search you can try the following: Add this below main search |eval time_format=strftime(_time, "%Y-%m-%d %H:%M:%S") |eval time_epoch=strptime(time_format, "%Y-%m-%d %H:%M:%S") |eval time_cst=time_epoch-21600 |eval _time=strftime(time_cst, "%Y-%m-%d %H:%M:%S") ... View more

Make sure your Splunk user has the proper permissions to read the certs. web.conf enableSplunkWebSSL = 1 privKeyPath = /opt/splunk/etc/auth/mycert.key serverCert = /opt/splunk/etc/auth/mycert.pem   Depending on the method you used, you must combine the server certificate, the private key, and the public certificate, in that order, into a single file. The combined file must be in privacy-enhanced mail (PEM) format. cat <server certificate file> <server private key file> <certificate authority certificate file> > <combined server certificate file> https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/HowtoprepareyoursignedcertificatesforSplunk  ... View more