Yes `AUTO_KV_JSON` being set to true then this should work without issue. Very abnormal to me as `rex` is working to hit and extract via a named group match. ... View more

I apologize.  I meant to use "N" as a replacement for a number, but didn't test the JSON. This is usually a number, and I have corrected the above. This isn't it, unfortunately. ... View more

How is this looking, gentlemen? ... View more

Ran into the same request... In my case, at least, they are looking to execute the `sendemail` command, and they are state that `list_settings` capability will provide them with the ability to... as I've assigned direct roles of `ess_admin` (not an intended option from the RBAC design of ES, but we did this anyway), and `ess_analyst`.  It is stated neither role can use `sendemail`. I've located the following: https://docs.splunk.com/Documentation/Splunk/8.2.1/Alert/Emailnotification#Prerequisites       To send an email notification within a search to a mail server that does not require SMTP authentication, your role must have the list_settings capability. By default, only the admin, splunk-system-role, and can_delete roles have the list_settings capability. If you want to allow users not belonging to any of these roles to send email notifications using the sendemail command in their search, you must assign them the list_settings and schedule_search capabilities.       And this link: https://docs.splunk.com/Documentation/SplunkCloud/8.2.2106/SearchReference/Sendemail#Capability_requirements     To use sendemail, your role must have the schedule_search and list_settings capabilities.       However, this post contradicts that documentation: https://community.splunk.com/t5/Splunk-Search/What-capabilities-are-required-for-the-quot-sendemail-quot/m-p/397465/highlight/true#M115367 Here I might grant permission to the roles (`ess_admin`, `ess_analyst`), but this still wouldn't allow those roles the ability to actually obtain the SMTP settings, which I imagine `list_settings` allows them to do.... because it's named "list_settings" and, as you linked, this capability...     Lets the user list and view server and introspection settings such as the server name, log levels, etc.       Hope this helps, Matt ... View more

Has to way back to 6.x for some legacy systems and can confirm... no clear support for targetUrl (so no https or http). ... View more

I'm not sure where you're replies are, but I am seeing them via email notifications. I have tested with the following props.conf on the UF only: [this:adminevents] SHOULD_LINEMERGE = false CHECK_FOR_HEADER = false #KV_MODE = auto #TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%6N-05:00 #TIME_FORMAT = %FT%T.%6N%:z #TIME_PREFIX = Timestamp\s*:\s #TZ = -05:00 The _time is not extracted. ... View more

Thank you for providing a test. This works for any existing records at search time (of course). I am performing extraction in props.conf within the TA on the local UF. That strptime() string does not work currently within the props.conf as: [this:adminevents] SHOULD_LINEMERGE = false CHECK_FOR_HEADER = false TIME_FORMAT = %FT%T.%6N%:z Is it safe to assume that I also need to place this on my HF (or indexers)? I was expecting that props.conf operates on the UF to perform timestamp extraction? Thanks, Matt ... View more

This does not work. I want to state a few things here to be transparent. This is a legacy OS, and I had to install an older version of Splunk. I have pushed the new datetime.xml to the client, stating "Version 4.0", therefore, unless there were changes in the strftime() support from the version I am on, I don't expect there to be challenges. Please note that I also used the TIME_FORMAT %Y-%m-%dT%H:%M:%S.%6N-05:00 without luck. ... View more

It appears that I am, in fact, not using ISO8601, but RFC3339. This page goes into the differences and similarities. RFC 3339 is more strict, and has provisions for timezone. This brought me to this answers post. I expect the answer to be and will test now: %Y-%m-%dT%H:%M:%S.%6N%z But in the doc you linked, %z does not have a definition for -05:00 , but only -0500 or -5:00 or -05:00:00 . I could explicitly use %:::z:00 , but I then believe splunk may not properly extract the timstamp. ... View more

IT was my macro SPL. Once fixed, the issue did not persist. It happened that the two macros I tested were both incorrect. Of course. 😄 ... View more

After some testing, it's clear to use regular escape syntax: blacklist3 = EventCode="5145" Message="Share Path:\s*(\\\?\?\\D:)" ... View more