We recently had a conversation with a MS support engineer who suggested that since we are just reading the logs, the Cloud Application Security Token, Tenant Subdomain,  and Tenant Data Center values may not be required. I have not had an opportunity to test this yet, but I would suggest giving that a try. ... View more

I have a modified version of this which has been functioning in a dashboard for more than the past 12 months. We just upgraded to version 8, and instead of displaying the date/time range, I am receiving "Invalid date to Invalid date". Any ideas/suggestions? <table> <title>Click use_case to drill down.</title> <search> <!-- 20190627 BEGIN --> <progress> <!-- Parse ISO time from the search job --> <eval token="parsed.earliest">strptime($job.earliestTime$, "%Y-%m-%dT:%H:%M:%S.%Q%z")</eval> <eval token="parsed.latest">strptime($job.latestTime$, "%Y-%m-%dT:%H:%M:%S.%Q%z")</eval> <!-- Pretty print the parsed time --> <eval token="formatted.earliest">strftime($parsed.earliest$, "%c")</eval> <eval token="formatted.latest">if(isnull($job.latestTime$), "the end of time", strftime($parsed.latest$, "%c"))</eval> <!-- Create time window message --> <eval token="timewindow.formatted">if(isnull($formatted.earliest$), "...", $formatted.earliest$ + " to " + $formatted.latest$) + if($job.isRealTimeSearch$, " (real-time)", "")</eval> </progress> <!-- Clear time window message when the search gets cancelled or fails --> <cancelled> <unset token="timewindow.formatted"></unset> </cancelled> <error> <unset token="timewindow.formatted"></unset> </error> <fail> <unset token="timewindow.formatted"></unset> </fail> <!-- 20190627 END --> <query> ... </query> <earliest>$i_time.earliest$</earliest> <latest>$i_time.latest$</latest> <sampleRatio>1</sampleRatio> <refresh>5m</refresh> <refreshType>delay</refreshType> </search>   ... View more

If the condition statement is removed, I believe you will get the functionality you are looking for. ... View more

The token values in the search are set in dropdown inputs which are submitted. ... View more

I apologize for the delayed response, but I have been out of the office for a number of days. I re-tried the example above, and it worked without issue. My next question is the actual search that I am submitting. Should I be replacing "yourRealTimeIndex","yourSummaryIndex" with the actual searches? If yes, I am concerned that I have done something wrong, as the form does not appear to submit and the query doesn't run. <eval token="tokIndex2">if((now()-tokEarliestTime2) &lt;=86400,"index=mail eventtype=pps_filter | stats max(_time) AS _time, values(delivery_status) AS delivery_status, values(subject) AS subject, values(from) AS from, values(rcpt) AS to, values(sender_domain) AS sender_domain, values(hops_ip) AS infr_ip, values(Country) AS country, values(file_name) AS file_name, values(message_id) AS message_id by internal_message_id, host | fields - _raw | fields + _time, delivery_status, subject, from, to, sender_domain, infr_ip, country, file_name, message_id, internal_message_id, host| mvexpand file_name | search $i_criteria$=$s_value|s$ AND delivery_status=$d_status$| iplocation infr_ip | rename Country AS country | table _time, delivery_status, subject, from, to, sender_domain, infr_ip, country, file_name, message_id, internal_message_id | sort _time","index=summary report=proofpoint_daily_summary | mvexpand file_name | search $i_criteria$=$s_value|s$ AND delivery_status=$d_status$| iplocation infr_ip | rename Country AS country| eval eventtime=strftime(eventtime, "%x, %X") | table eventtime, delivery_status, subject, from, to, sender_domain, infr_ip, country, file_name, message_id, internal_message_id | sort eventtime") </eval> . . . . <row> <panel> <title>Search Messages</title> <table> <search> <query>$tokIndex2$</query> <earliest>$i_time.earliest$</earliest> <latest>$i_time.latest$</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">10</option> <option name="dataOverlayMode">none</option> <option name="drilldown">cell</option> <option name="percentagesRow">false</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> </row> ... View more

I just attempted to copy your code for the first option so to create a test dashboard. When I went to save the dashboard, I received the error "Encountered the following error while trying to save: Error parsing XML on line 16: StartTag: invalid element name" I believe line 16 corresponds to if((now()-tokEarliestTime1)<=86400,"yourRealTimeIndex","yourSummaryIndex") Thoughts? Thank you. ... View more

I think that I might be missing something. My dashboard contains A text input which populates the token "s_value" A dropdown which populates the token "i_criteria" A dropdown which populates the token "d_status" I updated my i_criteria dropdown to include the following: < change> < condition value="x_mailer"> < set token="s_query">index=mail eventtype=pps_filter [search index=mail eventtype=pps_filter | join message_id [search index=mail eventtype=mail_details x_mailer=$s_value|s$ | stats count by message_id, x_mailer| fields x_mailer, message_id] | stats count by internal_message_id, host | fields internal_message_id, host] | iplocation hops_ip | stats max(_time) AS _time, values(delivery_status) AS delivery_status, values(subject) AS subject, values(from) AS from, values(rcpt) AS to, values(sender_domain) AS sender_domain, values(hops_ip) AS infr_ip, values(Country) AS country, values(file_name) AS file_name, values(message_id) AS message_id, values(x_mailer) AS x_mailer by internal_message_id, host | join message_id [search index=mail eventtype=mail_details x_mailer=$s_value|s$ | stats count by message_id, x_mailer| fields x_mailer, message_id] | search delivery_status=$d_status$ | table _time, delivery_status, subject, from, to, sender_domain, infr_ip, country, file_name, message_id, x_mailer | sort _time< /set> < /condition> < condition value="message_id"> < set token="s_query">index=mail eventtype=pps_filter [search index=mail eventtype=pps_filter $i_criteria$!=x_mailer $i_criteria$=$s_value|s$ | stats count by internal_message_id, host | fields internal_message_id, host] | iplocation hops_ip | stats max(_time) AS _time, values(delivery_status) AS delivery_status, values(subject) AS subject, values(from) AS from, values(rcpt) AS to, values(sender_domain) AS sender_domain, values(hops_ip) AS infr_ip, values(Country) AS country, values(file_name) AS file_name, values(message_id) AS message_id, values(x_mailer) AS x_mailer by internal_message_id, host | search delivery_status=$d_status$ | join type=outer message_id [search index=mail eventtype=mail_details | eval x_mailer=if(x_mailer="","NULL",x_mailer) | stats count by message_id,x_mailer | fields message_id, x_mailer] |table _time, delivery_status, subject, from, to, sender_domain, infr_ip, country, file_name, message_id, x_mailer | sort _time< /set> < /condition> < condition value="from"> < set token="s_query">index=mail eventtype=pps_filter [search index=mail eventtype=pps_filter $i_criteria$!=x_mailer $i_criteria$=$s_value|s$ | stats count by internal_message_id, host | fields internal_message_id, host] | iplocation hops_ip | stats max(_time) AS _time, values(delivery_status) AS delivery_status, values(subject) AS subject, values(from) AS from, values(rcpt) AS to, values(sender_domain) AS sender_domain, values(hops_ip) AS infr_ip, values(Country) AS country, values(file_name) AS file_name, values(message_id) AS message_id, values(x_mailer) AS x_mailer by internal_message_id, host | search delivery_status=$d_status$ | join type=outer message_id [search index=mail eventtype=mail_details | eval x_mailer=if(x_mailer="","NULL",x_mailer) | stats count by message_id,x_mailer | fields message_id, x_mailer] |table _time, delivery_status, subject, from, to, sender_domain, infr_ip, country, file_name, message_id, x_mailer | sort _time< /set> < /condition> < condition value="sender_domain"> < set token="s_query">index=mail eventtype=pps_filter [search index=mail eventtype=pps_filter $i_criteria$!=x_mailer $i_criteria$=$s_value|s$ | stats count by internal_message_id, host | fields internal_message_id, host] | iplocation hops_ip | stats max(_time) AS _time, values(delivery_status) AS delivery_status, values(subject) AS subject, values(from) AS from, values(rcpt) AS to, values(sender_domain) AS sender_domain, values(hops_ip) AS infr_ip, values(Country) AS country, values(file_name) AS file_name, values(message_id) AS message_id, values(x_mailer) AS x_mailer by internal_message_id, host | search delivery_status=$d_status$ | join type=outer message_id [search index=mail eventtype=mail_details | eval x_mailer=if(x_mailer="","NULL",x_mailer) | stats count by message_id,x_mailer | fields message_id, x_mailer] |table _time, delivery_status, subject, from, to, sender_domain, infr_ip, country, file_name, message_id, x_mailer | sort _time< /set> < /condition> < /change> I then replaced my query statement with < query>$s_query$< /query> The query does not run. I receive a message "Search Factory: Unknown search command 's'." In addition, the submit button no longer functions. Any ideas? Thank you. ... View more

Are the BlueCoat logs still being forwarded to the syslog server? Have you noticed errors in any of the log files (splunkd.log, etc.)? Thank you. ... View more

Can you post additional information to help clarify your issue? Are the logs being sent to syslog and then being forwarded to Splunk? Are you using a heavy or universal forwarder? Is the forwarder configured to forward other event logs or only BlueCoat? If the former, are the other event logs being properly forwarded to Splunk? Have you tried stopping and restarting the forwarder service? Thank you. ... View more

The following appears in the Splunk documentation (http://docs.splunk.com/Documentation/Splunk/6.4.2/Data/Applytimezoneoffsetstotimestamps) Configure time zones by adding a TZ attribute to the appropriate stanza in props.conf. The TZ attribute recognizes zoneinfo TZ IDs. (See all the time zone TZ IDs in the zoneinfo (TZ) database.) Inside the stanza for a host, source, or source type, set the TZ attribute to the TZ ID for the desired time zone. This should be the time zone of the events coming from that host, source, or sourcetype. ... View more

I have updated the transaction as follows: eventtype=bit9 (cef_name="Banned file written to computer" OR cef_name="New unapproved file to computer") | transaction maxspan=5m maxevents=2 user | table _time,user,cef_name,eventcount I am interested in a situation where a user first triggers "Banned file written to computer" and within a period of 5 minutes then triggers "New unapproved file to computer". I am getting the feeling that the transaction command is not the right way to do this. Any suggestions? Thank you. ... View more

What query could I use to ascertain how close a user is to the srchDiskQuota limit? ... View more