I have a field returned with some search data that contains a date and time in UTC.  I would like to be able to add 10 hours to the time. a) Field contents(dateTime UTC):  2023-05-08T00:24:37.6079338Z b) New field (Local dateTime):         2023-05-08 10:24:37.607 Is there a way to do the conversion from a) to b) in the search syntax? ... View more

I'm trying to exclude a specific file called catalina.out in /var/log/tomcat9/ from being processed by Splunk.  The file is being sent to my heavy forwarder and I have the following in inputs.conf  [monitor:///var/log/tomcat9] blacklist=(catalina\.out) disabled = 0 The data continues to be processed.  What am I missing? ... View more

How do I take the results of a search pass a field into a dbxquery and then display results from both the search and the dbxquery? In this example, the search returns data about specific emails where the sender domain is found in the csv file lookup.  I then want to take the Sender email address, use it in the WHERE clause  of the dbquery to return the accoutname field from the db.  Then finally, display various fields in a table including results from the search and the field returned by the dbxquery select.   index=email Act IN ("Acc") Sender!="*mydomain.com" [ | inputlookup susDomains.csv | stats values(domain) AS search | format ] | eval senderEmail=split(Sender,"@") | eval senderDomain=mvindex(senderEmail,1) | eval acctCode=if ((acc="CAU3A274"),"Admin","Manager") | eval SQLRcpt = "'".Rcpt."'" | map search="| dbxquery query=\"SELECT accountname FROM [IDM].[drip].[usr_hist_tbl] uht WHERE uht.mail = $SQLRcpt$ ; \" connection=\"Subscriber_History\"" | table _time,senderDomain,Sender,Rcpt,Subject,acctCode,accoutname,SQLRcpt | sort -_time   This search returns no data when I know there are records that should be returned. Can anyone see where I may have gone wrong? Thanks Leigh ... View more

I have a data source that is being ingested into Splunk using a default field extraction which is working fine.  The data looks like:   DateTime=2020-11-24-10.38.00.869407,type=New-Request,Username=9999999,Client-Mac=F8-4E-73-xx-xx-xx,Called-Station-Id=A0-D3-C1-zz-zz-zz,SSID=myWiFi,NAS-IP=192.168.141.130,Nas-Identifier=CISCO_AP:CN3AD338P5,NAS-Port-Type=Wireless-802.11,Campus=SMB,Location=SMB Buildings HI   The data is being parsed correctly and I get the field name / value pairs in Splunk no problem (field_name=value).  The issue I have is the last field, Location. The default field extraction is extracting the Location field however if the value contains spaces I am only getting up to the first space as the value in the indexed data.  From the above example, my Location data is returning "SMB" only and not "SMB Buildings HI".  Is there any way to resolve this to either prevent it splitting the value at the space, or to replace the space with another character such as '_'. ... View more

I have a search that returns two fields, Username and Location, for a specific username.  To extend this search, I would also like to see: a) any other usernames, in addition to the one searched for, in the same location(s).  So if the initial search returns two different locations, I would like to see the additional users for both locations; b) if the _time value for the additional usernames are within 15minutes (+ or -) of the initial username. Current search that returns the data for a specific Username is     (index="o365" OR index="main") (type="New-Request" OR Operation="*") Username="smith*" Campus="MainSite" | dedup Username,Location | fields _time,Username,type,Operation,Location,DateTime,SSID,Campus,src_ip,Client_Mac | table Username,Location       I'm assuming I need to do a nested search, I'm just not sure how to prepare it and pass the relevant location to return the addition usernames. ... View more

I have a data source that I have done a manual regex field extraction and all works fine.  Fields are correct and parsing the data as expected. A manual search is returning the result I expect when run in verbose mode however, if I run in Fast or Smart modes, the results I get back seem to be approximately 2 hours behind the current data shown in Verbose mode.  All the fields are there and I'm getting data back, it's just old data. The search is:       index=main host="my.host.name" sourcetype="ProcessedUser*" | fields _time,timeStamp,action,src_ip,src_mac,user | table timeStamp,action,user,src_ip,src_mac | head 5       While running in a normal search is not a problem as I can switch search modes, however when running in a dashboard is a problem as it does not use Verbose mode. Any suggestions greatly appreciated.   ... View more