This alternative worked for me. Where I wanted to expand a multivalue field, show the length and search for one above a certain length value:   | mvexpand Logon_ID | eval length = len(Logon_ID)| search length >5 ... View more

Thanks again, this fixed my issue. I had actually had the same config as you, but my wildcard match condition syntax was incorrect, I had WILDCARD(Process_Command_Line)(score)   When it should have been just WILDCARD(Process_Command_Line) ... View more

Thanks for taking the time to look at this. I will re-check to see what we are doing wrong compared to your example. ... View more

Yes we have this defined and the wildcards for the fields seem to be working for the 'Process_Command_Line' fields. ... View more

Thanks this worked for me ... View more

Thanks, just what i was looking for. ... View more

Thanks, some useful links here. ... View more

Hi @somesoni2 when i try this, i get "Error in 'eval' command: The arguments to the 'case' function are invalid." do you know why this is the case? ... View more

Thanks worked for me! ... View more

Thanks @venkatasri  yep am aware of that, but when we use the older version of this app: ServiceNow Security Operations | Splunkbase if you enter the parameters in via the gui, the password is encrypted into a passwords.conf file automatically.       ... View more

Our query size window is set to 10, and delay throttle of 5. However, below are the actual times data was pulled into Splunk: 08/07/2021/05:58:56  08/07/2021/04:48:29  08/07/2021/04:32:54 08/07/2021/02:58:49  08/07/2021/01:50:45  08/07/2021/00:18:25  ... View more

Hi there, nope we still have the issue. Sometimes it obeys the interval, but it tend to pull in logs at random intervals. We had to write a simple alert to notify us if we don't see any logs after 4 hrs. We still see the continuous connections every minute or so. ... View more

Thanks this worked like a charm! ... View more

Thanks, yep Splunk was running under the expected account. Compared the permissions for splunk_app_db_connect/linux_x86_64/bin against another working version and they were different. changed it to 700 and seems to have come back working fine. ... View more

This really depends on your requirements. You may want to vary the settings until you find the one that meets your needs. This may help you: https://community.splunk.com/t5/All-Apps-and-Add-ons/Input-settings-for-Microsoft-Office-365-Reporti... Also from the App: https://splunkbase.splunk.com/app/3720/#/details Specify the Query window size (minutes). When Continuously Monitor is selected, each time this input runs a start date is calculated for the Office 365 API query. The end date for the Office 365 API query will be the calculated start date plus the number of minutes specified by this parameter. For example, if the calculated start date is 2018-01-01T00:00:00 (midnight on January 1, 2018), the end date for the query will be 2018-01-01T00:01:00 (one hour after midnight) if the query window size is 60 minutes. Specify the Delay throttle (minutes). Microsoft may delay trace events up to 24 hours and events are not guaranteed to be sequential during this delay ( reference ). This parameter specifies how close to "now" the end date for a query may be (where "now" is the time that the input runs). Continuing from the example above, if "now" is 2018-01-01T00:02:00 (two minutes after midnight) and the delay throttle is 60 minutes, the input will exit because the end date for the query is only 1 minute away from "now". Each time the input runs, the input will exit and do nothing until the end date is at least 60 minutes away from "now". ... View more

This really depends on your requirements. You may want to vary the settings until you find the one that meets your needs. This may help you: https://community.splunk.com/t5/All-Apps-and-Add-ons/Input-settings-for-Microsoft-Office-365-Reporting-Add-on-for/m-p/437206#M53764 Also from the App: https://splunkbase.splunk.com/app/3720/#/details Specify the Query window size (minutes). When Continuously Monitor is selected, each time this input runs a start date is calculated for the Office 365 API query. The end date for the Office 365 API query will be the calculated start date plus the number of minutes specified by this parameter. For example, if the calculated start date is 2018-01-01T00:00:00 (midnight on January 1, 2018), the end date for the query will be 2018-01-01T00:01:00 (one hour after midnight) if the query window size is 60 minutes. Specify the Delay throttle (minutes). Microsoft may delay trace events up to 24 hours and events are not guaranteed to be sequential during this delay ( reference ). This parameter specifies how close to "now" the end date for a query may be (where "now" is the time that the input runs). Continuing from the example above, if "now" is 2018-01-01T00:02:00 (two minutes after midnight) and the delay throttle is 60 minutes, the input will exit because the end date for the query is only 1 minute away from "now". Each time the input runs, the input will exit and do nothing until the end date is at least 60 minutes away from "now".   ... View more

You should be able to do an index once. Can't remember how far you can go back but you should be able to do 20-30 days worth?    [ms_o365_message_trace://index_once] delay_throttle = 1 index = ******** input_mode = index_once interval = -1 office_365_password = ******** office_365_username = ******** query_window_size = 60 start_date_time = 2021-01-01T11:01:01 end_date_time = 2021-01-27T11:01:01 ... View more