Run a btool to confirm, but it looks like you have a '[default]' stanza inadvertently assigning the incorrect sourcetype. I'd check for the following in /opt/splunk/etc/apps/splunk_ta_onelogin/local/inputs.conf: [default] sourcetype=onelogin:user   ... View more

Hi @PhoebeOh, did you ever figure this out? ... View more

@petra_bee  did you ever find a solution to this? ... View more

A temporary quick fix was changing "evt_resolve_ad_obj = 1" to "evt_resolve_ad_obj = 0" in inputs.conf, however this setting is responsible for automatic resolution of SIDs/GUIDs, thus it is a less than ideal approach. The long-term fix was to upgrade the UF to the latest codebase in 9.1.1. (If you don't want to go to 9.1, 9.0.6 appears to have the fix as well). ... View more

This worked for me. You’ll need to convert your times to epoch, then convert to MM/DD/YY HH:MM as seen below. If you need, use http://strftime.net/ to verify. | eval endDateEpoch = strptime(accountExpires, "%Y-%m-%dT%H:%M:%SZ") | eval endDate = strftime(endDateEpoch, "%m/%d/%y %H:%M") | eval startDateEpoch = strptime(whenCreated, "%Y-%m-%d %H:%M:%S+00:00") | eval startDate = strftime(startDateEpoch, "%m/%d/%y %H:%M") ... View more