Hi Splunkers, I have to schedule a Saved Search in Splunk Enterprise Security that must be executed in a specific time range. The task itself is not a problem; I followed  Configure > Content > Content Management -> Create new content -> Saved search and then, cause the search must sent a mail at every activation, I have chosen New Alert. The problem is the required time range: this alert must detect some kind of activity performed outside job office hour, so 18:01 of current day - 08:59 of day after (this every day).  So, for example, the search must be "active" starting from today at 18:01 until tomorrow at 08:59. My doubt is: how can I configure this time range?  This is the alert configuration window:   I thougth about using Crontab, but I'm not sure I can configure a time range wich has not the same day for starting and ending time. I thougth also about the All time panel but I didn't find anithing that help me to configure this particular time range.  

I see a strange behaviour in Splunk. There is this SPL, when ran between 3/13/2022 6:00 AM to 3/14/2011 6:00 AM time range shows some events at 3/13/2022 - 7:00 AM (Between 7-8 AM).  But when I re-run the same SPL between 3/13/2022 6:00 AM to 3/13/2011 8:00 AM , hoping to see the same set of events, But I see ZERO events !!    This is very strange !! Am I missing something simple  here..? Why this weird behaviour ? Additional Observation :  When I change the time range between 2/12 to 3/13 - the events shows,  But when I keep the same date 3/13 7 AM to 3/13  10 AM - It doesn't show. It works when the time range is more that 24 hours

Hi peeps, I would like to trigger an alert from Splunk and send the alert to a third-party app. The third party-app can only receive and parse data by raw events.  I create the alert using the 'stats' command which generating a statistic, which means the alert are send is a  statistic to the 3rd party app. How do we send the raw event from the statistic data as an alert? Please help.

I am facing challenges while extracting the data from emails, using the Microsoft O365 email add on. I want to extract the "Requested for" and "Finished" for which respective values are "ABC.ITGLOBAL@XYZ.com" and "Fri, Mar 11 2022 15:09:29 GMT+00:00". I have tried Regex101 site and could successfully test a Regex pattern as below for matching the value for "Requested for" but the same pattern doesn't work in Splunk. (?i) for\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\w+\-\w+:\w+\-\w+\"\>(?P<Requested_For>\S+)(?=\<\/td) I need help here to sort this out, please if anyone can share their thoughts here. Finished</td><td class="" style="vertical-align:top; padding:10px 4px; border-bottom:solid #eaeaea 1px; text-align:left; white-space:normal; width:99%; word-break:break-word">Fri, Mar 11 2022 15:09:29 GMT+00:00</td></tr><tr><td class="" style="vertical-align:top; padding:10px 4px; border-bottom:solid #eaeaea 1px; text-align:left; white-space:nowrap; font-weight:600; min-width:130px">Requested for</td><td class="" style="vertical-align:top; padding:10px 4px; border-bottom:solid #eaeaea 1px; text-align:left; white-space:normal; width:99%; word-break:break-word">ABC.ITGLOBAL@XYZ.com</td></tr><tr><td class=""  

Hello Splunkers, I need urgent help on how to fix the below issue    I need to configure splunk DB connect to be able to connect to MSSQL later. Splunk is installed on CentOS 7 and I have installed the JRE  and the path is (/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jre/) however I still can't start the Task server and keeps failing.   I have restarted Splunk and the VM itself and issue still persist.