May want to just use index time if in the same timezone - or keep that in mind for this particular sourcetype
Props.conf
[sourcetypeName]
DATETIME_CONFIG = CURRENT
https://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf?utm_source=answers&utm_medium=in-comment&utm_term=props.conf&utm_campaign=refdoc#Timestamp_extraction_configuration
... View more
Try removing the | search Name=* so as to have: sourcetype=office365 ResultStatus=Succeeded Operation=UserLoggedIn
| lookup sensitive_accounts.csv UserId AS UserId OUTPUT Name
| iplocation ClientIP
| search Country!="United States"
... View more
Rather : sourcetype=office365 ResultStatus=Succeeded Operation=UserLoggedIn (UserId="john.doe@whateverdotcom" OR
UserId="jane.doe@whateverdotcom" OR UserId="man.face@ whateverdotcom" OR UserId="onemore.example@ whateverdotcom")
| iplocation src_ip
| search Country!="United States"
... View more
It would appear that you should specify a field for the iplocation command. E.g. | iplocation src_ip
sourcetype=office365 ResultStatus=Succeeded Operation=UserLoggedIn
[inputlookup sensitive_accounts.csv]
| iplocation src_ip
| search Country!="United States"
... View more