Hello there, I would like to convert the  default time to the local country timezone and place the converted timezone next to the default one The defaut timezone is Central European time and based on the country name available in the report, need to conver the timezone. I guess i need to have a lookup table which the coutryname and the timezone of that country Timestamp CountryCode CountryName Region 2023-10-29T13:15:51.711Z BR Brazil Americas 2023-10-30T10:13:19.160Z BH Bahrain APEC 2023-10-30T19:15:24.263Z AE Arab Emirates APEC  

Hi, I am trying to report on access requests to actual logins. I have a list of events from our systems of when users have logged in: | table _time os host user clientName clientAddress signature logonType I have a list of requests which cover a time frame and potentially multiple logins to multiple systems: | table key host reporterName reporterEmail summary changeStartDate changeEndDate So i want a list of events, with any corresponding requests (could be none, so i can alert the user/IT) joining on host, user, and _time between changeStartDate and changeEndDate. I do have this working by using map (see below), but it's very slow and not operable over large datasets/times. There must be a better way. I had issues with matching on the time range, and where it may not have a match, and optional username matching based on OS. Does anyone have any ideas? Existing search: ...search... | table _time os host user clientName clientAddress signature logonType | convert mktime(_time) as epoch | sort -_time | map maxsearches=9999 search=" | inputlookup Request_admin_access.csv | eval os=\"$os$\" | eval outerHost=\"$host$\" | eval user=\"$user$\" | eval clientName=\"$clientName$\" | eval clientAddress=\"$clientAddress$\" | eval signature=\"$signature$\" | eval logonType=\"$logonType$\" | eval startCheck=if(tonumber($epoch$)>=tonumber(changeStartDate), 1, 0) | eval endCheck=if(tonumber($epoch$)<=tonumber(changeEndDate), 1, 0) | eval userCheck=if(normalisedReporterName==\"$normalisedUserName$\", 1, 0) | where host=outerHost | eval match=case( os==\"Windows\" AND startCheck==1 AND endCheck==1,1, os==\"Linux\" AND startCheck==1 AND endCheck==1 AND userCheck==1,1) | appendpipe [ | makeresults format=csv data=\"_time,os,host,user,clientName,clientAddress,signature,logonType,wimMatch $epoch$,$os$,$host$,$user$,$clientName$,$clientAddress$,$signature$,$logonType$,1\" ] | where match==1 | eval _time=$epoch$ | head 1 | convert ctime(changeStartDate) timeformat=\"%F %T\" | convert ctime(changeEndDate) timeformat=\"%F %T\" | fields _time os host user clientName clientAddress signature logonType key reporterName reporterEmail summary changeStartDate changeEndDate"  

Hi, I mistakenly cloned an alert to the "Slack Alerts" app instead of the normal "Search & Reporting" app.  This alert is functioning and sending Slack messages when triggered. But the alert is in the wrong app. But worse is that the alert now appears in the "All Configurations" page. I am able to disable the alert but not able to remove it and I really need to remove it from the "All Configurations" page. I'm also not able to edit the alert in any way. Is it possible to remove the alert from the "All Configurations" page?   Thank you.