For anyone using 7.3.8 that stumbles upon this and needs a current link to the docs regarding exported Windows log files: https://docs.splunk.com/Documentation/Splunk/7.3.8/Data/MonitorWindowseventlogdata  ... View more

Thank you, this also got me a lot closer. I ended up having to convert the time with "mktime".   | rename "First Discovered" AS FD | convert timeformat="%b %d, %Y %H:%M:%S %Z" mktime(FD) | stats count min("FD") AS FD BY Plugin,Severity | fieldformat FD=strftime(FD,"%m-%d-%Y %H:%M:%S %Z") | sort -count     This post helped with the conversion: https://community.splunk.com/t5/Splunk-Search/How-can-i-convert-String-Type-Time-field-a-to-a-human-readable/m-p/93941#M24184  ... View more

Hi Good News, i have with your help got this fixed, had to creat the msad index as it did not exist. also i noticed in the inputs file that i hadnt enabled some settings. ... View more