https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-configure-the-checkpoint-value/m-p/288606#M34353 <P>No Answer? I have resolved. </P> <P>My event: {"DetailsUrl": "/Orion/NetPerfMon/OrionMessages.aspx?ShowOrionMessageTypes=audit%3b", "AuditEventMessage": "User <EM>**\*</EM>* logged in from *****<STRONG><EM>.", "TimeLoggedUtc": "2018-03-29T01:42:32.7370000Z", "DisplayName": "</EM></STRONG><STRONG>\*</STRONG>**** logged in from *****<STRONG><EM>.", "NetObjectType": null, "ActionTypeID": 1, "AuditEventID": 3519, "NetworkNode": null, "AccountID": "</EM></STRONG><EM>\*</EM>****", "NetObjectID": null}</P> <OL> <LI>I have changed my sql like this: </LI> </OL> <P>SELECT AuditEventID, TimeLoggedUtc, AccountID, ActionTypeID, AuditEventMessage, NetworkNode, NetObjectID, NetObjectType, DetailsUrl, DisplayName FROM Orion.AuditingEvents <STRONG>WHERE TimeLoggedUtc &gt; AddMinute(-10,GETUTCDATE())</STRONG> order by TimeLoggedUtc DESC</P> <OL> <LI>I am feeling splunk does't find the time automatically. Then I configured TIME_PREFIX. Done [solarwinds:generic] TIME_PREFIX = "TimeLoggedUtc":\s" TIME_FORMAT = %Y-%m-%dT%T.%7N%Z</LI> </OL> Tue, 29 Sep 2020 18:48:51 GMT tdbank 2020-09-29T18:48:51Z https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-configure-the-checkpoint-value/m-p/288605#M34352 <P>I selected audit event from orion.auditingevents. Then I have follow questions.</P> <OL> <LI>How to configure the checkpoint value in solarwinds query? Because there are too many duplicated events.</LI> <LI>If not possible can i use Splunk DB Connect for Solarwinds base? (table: Orion.AuditingEvents)</LI> <LI>Audit log time (orion.auditingevents.timeloggedutc) is not equal to indexed time. How can I set audit log time to index time?</LI> </OL> Mon, 26 Mar 2018 11:19:36 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-configure-the-checkpoint-value/m-p/288605#M34352 tdbank 2018-03-26T11:19:36Z https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-configure-the-checkpoint-value/m-p/288606#M34353 <P>No Answer? I have resolved. </P> <P>My event: {"DetailsUrl": "/Orion/NetPerfMon/OrionMessages.aspx?ShowOrionMessageTypes=audit%3b", "AuditEventMessage": "User <EM>**\*</EM>* logged in from *****<STRONG><EM>.", "TimeLoggedUtc": "2018-03-29T01:42:32.7370000Z", "DisplayName": "</EM></STRONG><STRONG>\*</STRONG>**** logged in from *****<STRONG><EM>.", "NetObjectType": null, "ActionTypeID": 1, "AuditEventID": 3519, "NetworkNode": null, "AccountID": "</EM></STRONG><EM>\*</EM>****", "NetObjectID": null}</P> <OL> <LI>I have changed my sql like this: </LI> </OL> <P>SELECT AuditEventID, TimeLoggedUtc, AccountID, ActionTypeID, AuditEventMessage, NetworkNode, NetObjectID, NetObjectType, DetailsUrl, DisplayName FROM Orion.AuditingEvents <STRONG>WHERE TimeLoggedUtc &gt; AddMinute(-10,GETUTCDATE())</STRONG> order by TimeLoggedUtc DESC</P> <OL> <LI>I am feeling splunk does't find the time automatically. Then I configured TIME_PREFIX. Done [solarwinds:generic] TIME_PREFIX = "TimeLoggedUtc":\s" TIME_FORMAT = %Y-%m-%dT%T.%7N%Z</LI> </OL> Tue, 29 Sep 2020 18:48:51 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-configure-the-checkpoint-value/m-p/288606#M34353 tdbank 2020-09-29T18:48:51Z