Splunk newby here.  I have a search that works if I change it every day but would like to add it to a dashboard for monitoring without having to change the date.  It looks for all the newly created accounts in the current/past day, depending on what date I put in. The search is index=Activedirectory whenCreated="*,9/15/23" |table whenCreated, name, manager, title, description then search for last 24 hours.  The format of the time is %H:%M:%S AM/PM, %a %m/%d/%Y.  The 2 issues I am having are, how do you specify the AM/PM and how do you set up the search so that it will search for the last 24 hours using the current date.  I was thinking it is "time()" but I am not successful in getting the results I need.  

Hello! I'm using a text input box to input a username. If I were to simply put that username into my base search, it works great and is very quick. I have other search input parameters, so my problem is that if I DON'T specify a username, I want it to include all values. This includes null values. I started by using an asterisk as the default input value, but that doesn't include null values. The only way I've been able to make this partially work is by removing the username from the base search, then using an eval command to give the null entries a value, and then search the base results for either "*" to include everything, or the username I typed in. This is horribly inefficient because I have to search my entire database for every entry before I can filter it. I also think this doesn't work properly because it has a limit on the number of results in the base search.  I've done a lot of searching for doing an eval command BEFORE the base search, but that doesn't seem to be possible. This can't be a unique scenario. How do I search for both "null" and "NOT null" values in the base search without removing my username input box?

Hello,  There must be something `rex` specific with my query below since it is not extracting the fields, while the regex works as expected when I test on regex101 (see https://regex101.com/r/g0TMS4/1)     eventtype="my_event_type" | rex field=responseElements.assumedRoleUser.arn /arn:aws:sts::(?<accountId>\d{12}):assumed_role\/(?<assumedRoled>.*)\/vault-oidc-(?<userId>\w+)-*./ | fields accountId, assumedRole, userId Sample data that fails to match: arn:aws:sts::984086324016:assumed-role/foo-admin-app/vault-oidc-foo-admin-app-1687793763-Qen4JHeRXYlB8Eoplkjs      Thanks Alex.

Hello, I have the following search     index=wineventlog EventCode=4728 OR EventCode = 4731 OR EventCode=4729 OR EventCode=4732 OR EventCode=4756 OR EventCode=4756 NOT src_user=*$ | rename src_user as admin, name as action | table admin, Group_Name, user_name     This spits out output like this:   admin Group_Name user_name adminx GroupA UserA adminx GroupB UserA adminx GroupC UserA adminy GroupD UserB adminy GroupE UserB adminy GroupF UserC adminy GroupF UserD     I'm trying to combine them into a single message that looks like this:   admin Group_Name user_name adminx GroupA,GroupB,GroupC UserA adminy GroupD,GroupE UserB adminy GroupF UserC,UserD     What would be the best way to achieve that?

Hi - I would like to join and sum the results and output The searches: index=test_index sourcetype="test_source"  className=export | table message.totalExportedProfileCounter index=test_index sourcetype="test_source"  className=export | table message.exportedRecords From above both searches I am looking to add message.totalExportedProfileCounter, message.exportedRecords. For a given call only one of the above search shows up. I am looking for message.totalExportedProfileCounter + message.exportedRecords   Thanks in advance!   Thanks.