I just installed the Windows TA.  Now, when I search, I get the following errors: Could not load lookup=LOOKUP-action_for_win_timesync_status Could not load lookup=LOOKUP-app4_for_windows_security Could not load lookup=LOOKUP-app_for_windows_system_ias Could not load lookup=LOOKUP-vendor_info_for_microsoft_dhcp Could not load lookup=LOOKUP-vendor_info_for_windows_security Could not load lookup=LOOKUP-vendor_info_for_windows_system Could not load lookup=LOOKUP-vendor_info_for_windowsupdatelog These are all automated lookups in props.conf.  The lookups don't exist.  There are no saved searches in the TA that would create them. How is it possible that the Windows TA (and Linux TA for that matter), which are two of the most downloaded apps in the Splunkbase, are so broken?  I can't believe your company can find the time to build useless apps for the Apple Watch, but you can't nail the two most widely utilized apps for getting data into Splunk. Shame on you. ... View more

I'm trying to figure out which search will most accurately tell me when events with future timestamps are being detected. Somebody on the team built this search: | tstats min(_time) as earliest_time, max(_time) as latest_time by index | eval daysOfLogs=round((latest_time - earliest_time)/60/60/24, 2) | eval eventsInFuture=if(latest_time > now(), "yes", "no") | eval tnow = now() | convert ctime(*time) | lookup index_to_env index | convert ctime(tnow) That search doesn't show any sourcetypes with future data. This search, on the other hand, shows that multiple sourcetypes are showing future timestamps: | metadata type=sourcetypes index=* index!=_* | eval now=now() | eval futuretime=lastTime-now | where futuretime>0 Based on what I've seen searching on the raw events with a "latest=+20d@d", the tstats command is the one that isn't seeing the future events... Any idea what is causing this behavior? ... View more