May want to just use index time if in the same timezone - or keep that in mind for this particular sourcetype Props.conf [sourcetypeName] DATETIME_CONFIG = CURRENT https://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf?utm_source=answers&utm_medium=in-comment&utm_term=props.conf&utm_campaign=refdoc#Timestamp_extraction_configuration ... View more

HI -- Try using a password which does not contain special characters. ... View more

Try removing the | search Name=* so as to have: sourcetype=office365 ResultStatus=Succeeded Operation=UserLoggedIn | lookup sensitive_accounts.csv UserId AS UserId OUTPUT Name | iplocation ClientIP | search Country!="United States" ... View more

Rather : sourcetype=office365 ResultStatus=Succeeded Operation=UserLoggedIn (UserId="john.doe@whateverdotcom" OR UserId="jane.doe@whateverdotcom" OR UserId="man.face@ whateverdotcom" OR UserId="onemore.example@ whateverdotcom") | iplocation src_ip | search Country!="United States" ... View more

It would appear that you should specify a field for the iplocation command. E.g. | iplocation src_ip sourcetype=office365 ResultStatus=Succeeded Operation=UserLoggedIn [inputlookup sensitive_accounts.csv] | iplocation src_ip | search Country!="United States" ... View more