Hi @lewisk03 ! Feel free to PR into the project. I've cleared it internally for open-source contributions: https://github.com/splunk/TA-lastpass Basically, the eventid isn't really an eventid at all; it's more of an event or queue item counter from the event query REST call based off of the time parameter in your query. I've struggled with this when I first designed and developed the original code, but I've never come to grips on how to best capture these events and the "meta" data and minimizing transforming the raw data set itself. My happy compromise is to introduce critical fields I think are missing or reformat values that may break analysis but to not change the original, fundamental data set. I would highly recommend you reach out to LastPass and encourage them to update their API resources (data set) to improve data quality. I don't think these are the ideal responses you're looking for, but hopefully you can take value in what I'm sharing back. Cheers! ... View more

Hello @tprz! Unfortunately, LastPass doesn't do a great job of providing much information in their API spec doc. The event id, from what I've surmised is effectively a basic, iterated sequential count-based id generated from the reporting command API call, based on whatever parameters you've provided in the request. The pros/cons from my perspective developing against the API, given the current restraints: + You can easily identify a missing event in the sequence (from 0 .. N, where N is the length of the "Data" field in the response) + Should be easy to identify how many events per call (once you apply some decent SPL to extract the count number) - This Event id has no relation whatsoever to the actual payload - Unfortunately, this event id isn't truly unique (in other data sources, this should be either a UUID or some sort of derivative hash of the event) Take it for what's worth though. I didn't feel I should fix/customize for a better event id in the event the vendor updates their event API (and my code would break). I figured get the data out efficiently for those who prefer a TA option. Hope this explanation helps! ... View more

First of all, I don't think the formatting is correct. Your field of granny.smith should certainly be wrapped by quotes to be read properly (try double quotes). I would recommend using any sort of coding library to help do this for you. But, even if the event data was printed in a proper format, you'd need to extract your fields somehow. I would recommend either of two solutions, presuming your event data is completely in JSON format: Create a custom sourcetype props stanza and specify for KV mode to JSON: [sourcetype] KV_MODE = json Preferred format as this search extraction will extract for fields from the JSON data consistently reducing need to append to every search query manually Reference: https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Exampleconfigurationsusingfieldtransforms Use spath command within your search *SPL* | spath This command will pull from the _raw field by default, but you can specify any other field Reference: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Spath Either way, once you have those fields, how you can reference these fields thereafter, you'll need to use single quotes for any sort of calculated field manipulation. In your case, if if the fields were indeed extracted and you wanted to search against it, here's an SPL query sample: index=main 'granny.apple.color' != "green" Give that a shot. ... View more

First of all, you should never be using root to SSH/SCP anything, especially if it's publicly facing infrastructure. Secondly, can you even verify if SSH for root user is enabled? By default, your sshd should have that disabled. Thirdly, what are your debug logs for both client and server? I would presume testing against root user is disabled for SSH access, but would like to see the actual reason for failure. ... View more

What are your configurations for the HEC endpoint? Looking for the default sourcetype for inbound data. Also, can you provide a sanitized sample of how you're invoking the HEC endpoint, what parameters you are using in your testing? ... View more

Is time_of_last_change in epoch? As sduff has indicated, you're trying to diff string/text values. Not going to work. Use strptime to convert the string into an integer in epoch. You'll need to compare two different epoch values to make your tostring(<val>, "duration") usable here. eval diff = tostring(relative_time(now(), "-1h") - time_of_last_change, "duration") ... View more

Also feel free to check out this app that one of our Splunkers built for this: https://splunkbase.splunk.com/app/3330/ ... View more