I'm using Splunk to analyze Linux audit logs.
My query looks like this:
index="my index" action=success (type=USER_LOGIN) | iplocation addr | table Country, addr, _time, type, acct | sort by _time
Before every USER_LOGIN event, there is a USER_AUTH event that shows what account name was used.
How do I get the events that happened right before each USER_LOGIN event to show up in my search results?
... View more
I am using Spunk Enterprise to upload log files and generate a timeline. I am uploading a linux secure.log file. It has a date and time stamp, but is missing the year. Splunk is automatically assigning the year 2018. I want to manually set the year to 2017 for just this one log file - not other files. Is there a way to automatically assign the year 2017, but keep the rest of date on the "Set Sourcetype" screen? Apparently you can edit props.conf, but I don't know if that will affect other files too.
... View more