Great, thanks Rich. It would be good if Splunk could enable the new geo-location DB that ships with SE 9.0.0 or later, dbip-city-lite.mmdb, to be updated on a regular basis instead of having to replace the new DB with either MaxMind's, or some other vendor's DB. Splunk could build that update functionality in behind the scenes if divulging the new vendor is top secret for some reason.   Otherwise, the update procedure for the new DB could be added to the iplocation page like for MaxMind's update procedure.

Thanks Rich! That answered all my questions, but brought up 2 new questions. We are running SE 9.0.5 so we have the new $SPLUNK_HOME/share/dbip-city-lite.mmdb  geo-location DB as you mentioned. The reason for this new question is I noticed an IP address yesterday whose City seems to be outdated against the results from iplocation.net. Guessing there is no way to update the new dbip-city-lite.mmdb DB after the initial SE install since Splunk has not divulged the vendor ? Went to the link you provided, and to the 9.0.5 page for iplocation which does state the new vendor's mmdb file name, but the data after that shows how to update MaxMind DB's, GeoLite2-City.mmdb & GeoIP2-City.mmdb , which as you said were replaced in 9.0.0, and are not shipped with version 9.0.5.  Is this an oversight in the documentation ?   iplocation - Splunk Documentation "Usage The iplocation command is a distributable streaming command. See Command types. The Splunk software ships with a copy of the dbip-city-lite.mmdb IP geolocation database file. This file is located in the $SPLUNK_HOME/share/ directory. Updating the IP geolocation database file Through Splunk Web, you can update the .mmdb file that ships with the Splunk software. The file you update it with can be a copy of one of the following two files. Only those two files are supported. To use these two files, you must have a license for the GeoIP2 City database. File name Description GeoLite2-City.mmdb This is a free IP geolocation database that is updated on its download page on a weekly basis. GeoIP2-City.mmdb This is a paid version of the GeoLite2-City IP geolocation database that is more accurate than the free version.   Replacing your mmdb file with one of these two files reintroduces the Timezone field that is absent in the default .mmdb file, but does not reintroduce the MetroCode field. Prerequisites You must have a role with the upload_mmdb_files capability. Steps Go online and find a download page for the binary .tar.gz versions of the GeoLite2-City or the GeoIP2-City database files. Download the binary .tar.gz version of the file (GeoLite2-City or GeoIP2-City) that is most appropriate for your needs. Expand the binary .tar.gz version of the file. The .tar.gz file expands into a folder which contains the GeoLite2-City.mmdb file, or the GeoIP2-City.mmdb file, depending on the download you selected. In Splunk Web, go to Settings > Lookups > GeoIP lookups file. On the GeoIP lookups file page, click Choose file. Select the .mmdb file. Click Save. The page displays a success message when the upload completes."

See the https://docs.splunk.com/Documentation/Splunk/latest/Data/Applytimezoneoffsetstotimestamps article to understand how Splunk applies timezone information. It could be done in several different places, most probably you'd want to set the TZ on the forwarder so that it doesn't interfere with other components' settings.  

Does it have to do with the highlighted parameter INDEXED_EXTRACTIONS,  Example:Isolation:Web doesn’t have any SEDCMDs [Example:Isolation:Web] EVAL-vendor_region = lower('region'."-".'zone') FIELDALIAS-aob_gen_Example_Isolation_Web_alias_1 = userName AS user FIELDALIAS-aob_gen_Example_Isolation_Web_alias_2 = disposition AS action FIELDALIAS-aob_gen_Example_Isolation_Web_alias_4 = categories{} AS category FIELDALIAS-aob_gen_Example_Isolation_Web_alias_5 = fileName AS file_name FIELDALIAS-aob_gen_Example_Isolation_Web_alias_6 = fileSize AS file_size FIELDALIAS-aob_gen_Example_Isolation_Web_alias_7 = fileMimeType AS http_content_type FIELDALIAS-aob_gen_Example_Isolation_Web_alias_8 = parentPageURL AS http_referrer FIELDALIAS-aob_gen_Example_Isolation_Web_alias_9 = classification AS type INDEXED_EXTRACTIONS = json AUTO_KV_JSON = 0 KV_MODE = none SHOULD_LINEMERGE = 0 TIMESTAMP_FIELDS = date category = Example Web Isolation pulldown_type = 1 local/props.onf [Example:Isolation:Url] SEDCMD-sanitize_jsessionid = s/jsessionid=[0-9A-Za z]+/jsessionid=masked_by_splunk/g SEDCMD-sanitize_url_parameter = s/([#&])(access_token|id_token)=[^\s&",]+/\1\2=masked_by_splunk/g SEDCMD-sanitize_url_parameters_password = s/([Pp][Aa][Ss][Ss][Ww][Oo][Rr][Dd])=[^\s"&']+/\1=masked_by_splunk/g  

The value of the diff field is in seconds.  The strftime function adds that value to 1 Jan 1970 to come up with a timestamp.  Obviously, that is not the goal.  Expressing diff in days can be done in a couple of ways: divide seconds by 86400 to get a number of days | eval days=round(diff/86400,0) Use the tostring function to convert seconds into d:H:M:S format. | eval days=tostring(diff, "duration")  

Apparently, the Cisco app is not performing the same search you are performing manually.  Examine the searches the app uses (click the magnifying glass icon on a panel or use the CLI to view the dashboard code) and compare it to your manual search.  Based on your findings, adjust how the data is onboarded or modify the queries.

Splunk hasn't disclosed the new vendor of geo-ip data, which changed with version 9.0. The file is $SPLUNK_HOME/share/dbip-city-lite.mmdb. You can read more about it in the iplocation documentation at https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Iplocation