Hi. I have a single filed for date and time of event - 2024-02-19T11:16:58.930104Z I would like to have to fields Date and Time as well as one more calculated fields I can use to find records not changed in last 2 days or 48 hours what ever is better for the search. I tried  |eval Date = strftime(policy_refresh_at, "%b-%d-%Y") | eval Time = strftime(policy_refresh_at, "%H:%M") or | eval Date=substr(policy_refresh,10,1) The result come empty in both cases. So nothing to calculate on Please advise, Thank you Please advise on

I am using the | fields _raw to show the entire content of the source file as a single event.  It works for most of my log files less than 100K.  For occasionally larger files, the search will break the results into multiple events and missing out the details.  How can I fix it?  Or is there another way to return the file contents?  I know users can click on the Show Source in the event action, but my search queries are part of a dashboard drilldown on file names.

I need help to write a search query where the result from the one query is passed onto the second query 1 we import the users from the active directory group in the okta group and the event eventType="group.user_membership.add" captures this Json event Following the query get me the name of the group and user name. index="indexName"   eventType="group.user_membership.add" | spath "target{}.displayName" |rename target{}.displayName as grpID| eval groupName=mvindex(grpID, 1) |  rename "target{}.alternateId" AS "targetId" | rename "target{}.type" AS "targetType"| eval target_user=mvindex(targetId, mvfind(targetType, "User")) | table target_user groupName 2. After the user is added to the Okta group, I want to find the occurrence of the user authentications during time range  . I can separately find user authentication using eventType="user.authentication.sso" this event doesn't have a group name. index="indexName"   eventType="user.authentication.sso"  target_user  | stats count by date How do I pass the user in the first query to the second query. I cannot use subsearch since the main search eventype is not the same as the second sub search.   Basically, I want to create a report by groupname/username authentications for the selected time range Any help is appreciated.

Hello to everyone! I have a Win server with Splunk UF installed that consumes MS Exchange logs This logs is stored in CSV format Splunk UF settings look like this: props.conf [exch_file_httpproxy-mapi] ANNOTATE_PUNCT = false BREAK_ONLY_BEFORE_DATE = true INDEXED_EXTRACTIONS = csv initCrcLength = 2735 HEADER_FIELD_LINE_NUMBER = 1 MAX_TIMESTAMP_LOOKAHEAD = 24 SHOULD_LINEMERGE = false TIMESTAMP_FIELDS = DateTime TRANSFORMS-no_column_headers = no_column_headers transforms.conf [no_column_headers] REGEX = ^#.* DEST_KEY = queue FORMAT = nullQueue   Thanks to the data quality report on the indexers layer, I found out that this source type has some timestamp issues I investigated this problem by executing a search on the searched layer and found surprising events breaking You can see an example in the attachment _raw data is OK and is not contain "unxepected" next-line characters What is wrong with my settings?

Hello everyone, Unfortunately, from the license master server I can not see anything from the dashboards of the license usage page. I have also tried with the query below:  index=_internal sourcetype=splunkd source=*license_usage.log type=Usage idx=*  But nothing, no results found.  Could you please help me? Thanks in advance.