Trying to figure out why converting time, which is stored in UTC, is not being converted correctly when going to EST. What I expect to see is -4 hours of what I have stored under my _time value and/or another field which has the same values as well. When I run the following command I get +5 hours from my UTC time. Not sure what I am doing wrong, I'm really new to Splunk so if someone could explain it that would be great. | eval est=strptime(strftime(_time,"%Y-%m-%d %H:%M:%S EST"),"%Y-%m-%d %H:%M:%S %Z") | eval local=strftime(est,"%Y-%m-%d %H:%M:%S") | table _time, local Here are my two values for _time and d_time. As you guys can see they are both stored in the same exact way. What I've been trying to do, with no success, is convert that to Eastern time. _time = 2012-03-01T22:34:28.000+00:00 d_time = 2012-03-01T22:34:28.000+00:00 Also - forgot to mention. I am able to get the correct offset by subtracting hours in seconds from _time. But that doesn't seem like the right way to go about this. ... View more

Hello all, I'm a newbie to Splunk so I'm hoping someone can assist me figuring out how to accomplish the following. On a regular basis I have to search two sets of logs. I'd like to be able to knock it out in one go if possible while at the same time have the ability to display the results I need correctly. The first search I run is: index=network sourcetype=analysisFiles file_accessed="zip" | stats count by srcip, hostname, data Which I then gather up the srcip and run the following search to gather the user information from another set of logs: index=analysisFilesUserAccess srcip="src_ipFromAboveResults" | stats count by user, srcip I figured out how to do a subsearch to pull the account information based on the results from the first search doing the following index=analysisFilesUserAccess * [search index=network sourcetype=analysisFiles file_accessed="zip" | fields srcip |mvcombine delim=" OR " srcip | nomv srcip | rename srcip as search] The problem I'm running into and cant figure out is how to show results from both searches. The subsearch only returns fields related to the second search and I can't seem to table or run stats based on the fields from the first. Ideally what I'd like to be able to do is align the srcip from both searches and append the results from the first. I'd still like to be able to see the same results as running |count by srcip, hostname, data but add the username by the matching srcip from both searches. For example current results from each search when run independently looks as follows: First Search srcip hostname count 192.168.1.49 hostName1 10 192.168.1.98 hostName1 58 Second Search user srcip count user01 192.168.1.49 10 user02 192.168.1.98 58 What I'd like the output to look like is one of the following two ways. Key being that I just added the user results that I got back on a per IP basis. srcip hostname user count 192.168.1.49 hostName1 user01 10 192.168.1.98 hostName1 user02 58 srcip hostname count 192.168.1.49 hostName1 10 user01 192.168.1.98 hostName1 58 user02 Thanks for all the help in advanced. ... View more