Hi, I would check your user Preferences timezone. Click your name in the top right > Preferences > Default System Timezone. If you have it set to a timezone, it will convert the time for you. Matt
... View more
Is the cluster in maintenance mode? On the manager indexer run: splunk show maintenance-mode Check to see if any buckets are stuck in fixup tasks? If so, resolve issue. indexer clustering > Indexes > Bucket Status
... View more
I see... you need to make the nmon app global or accessible to those users Click apps > Manage apps > NMON app > Permissions Read/Wright all Make app accessible to users. Are your users able to access the NMON app? If you don't want the app global, the users will only have the knowledge objects available within the NMON app.
... View more
Are you seeing this with Linux systems? I had an issue like this with our Linux logs forwarding to our syslog server. Turned out being an extra space at the end of our syslog outgoing template. After the \n" someone had \n "
... View more
You need to add the nmon indexes to your user roles, or create a new role for the nmon users. Go to: Settings > roles > "your user role" > Indexes tab > "select indexes" You should see the following indexes for the nmon data: os-unix-nmon-config os-unix-nmon-events os-unix-nomon-internal os-unix-nmon-metircs
... View more
I would check the server name on the UF and search what you find in the Forwarder Management on the deployment server. It sounds like everything is working. Forwarder management > click on your server class > search the server name found on UF To get it to show in the monitoring console: Monitoring console > settings > Forwarder Monitoring Setup > Rebuild Forwarder assets. Hope this helps. Matt
... View more
If you want to change the time in search you can try the following: Add this below main search |eval time_format=strftime(_time, "%Y-%m-%d %H:%M:%S") |eval time_epoch=strptime(time_format, "%Y-%m-%d %H:%M:%S") |eval time_cst=time_epoch-21600 |eval _time=strftime(time_cst, "%Y-%m-%d %H:%M:%S")
... View more
You could try something like this: index=xxx | stats count by Team, status |eval field="status=" .status. " ". "count=" .count |stats values(field) as stats by Team
... View more
Make sure your Splunk user has the proper permissions to read the certs. web.conf enableSplunkWebSSL = 1 privKeyPath = /opt/splunk/etc/auth/mycert.key serverCert = /opt/splunk/etc/auth/mycert.pem Depending on the method you used, you must combine the server certificate, the private key, and the public certificate, in that order, into a single file. The combined file must be in privacy-enhanced mail (PEM) format. cat <server certificate file> <server private key file> <certificate authority certificate file> > <combined server certificate file> https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/HowtoprepareyoursignedcertificatesforSplunk
... View more