Does this mean you did or didn't manage to auth to a non-local account in the end? (I'm thinking not?)   Cheers, Barry ... View more

@gcusello Thanks for this! It helped me understand how to resolve this. The syslog pull script provided by Zimperium has its output in JSON. However the output has some sort of header before the first '{' in every event. Your props.conf uses that header for the TIME_PREFIX  TIME_PREFIX = \<\d+\>\d+\s+ I was able to get the JSON parsed in Splunk by stripping off the header and using eventtimestamp as the TIME_PREFIX props.conf [zj] DATETIME_CONFIG = LINE_BREAKER = ([\r\n]+) NO_BINARY_CHECK = true TIME_FORMAT = %m %d %Y %H:%M:%S %Z TIME_PREFIX = eventtimestamp\":\s\" category = Custom description = logs from Zimperium pulldown_type = true KV_MODE = json disabled = false SEDCMD-StripHeader = s/^\<\d+\>\d+\s+\d+\s+\d+\s\d+\s+\d+:\d+:\d+\s[A-Za-z0-9\s-]+//   ... View more

@gcusello  Perfectly valid questions 🙂 SEDCMD is for the correct sourcetype? - I think this may be relevant. There was an upgrade on some of the TA's recently. The previous winevent sourcetypes are now the "source". So I think I may need to change the stanza to [source::my_winevent_source] in props.conf   did you tried to put both on HF and Ind? - No, this is just on the HF where it also indexes the data   did you restarted HF? - Yes  ... View more

Hi @geoffmoraes, Good for you. Ciao and happy splunking. Giuseppe. P.S.: Karma Points are appreciated 😉 ... View more

Thanks @gcusello ! ... View more

Thanks! I didn't think about decimal "time". It makes sense now. ... View more

Had to tweak it a bit, but this helped. Thanks! ... View more