Hi @jconger , Thanks for your advice. I have created a new input named Prod_AAD_Audit5 and can see the start time is correct by going back to the past seven days. "activityDateTime+gt+2022-09-21T23:56:27.306392Z" Unfortunately getting the connection was broken by 'ReadTimeoutError" and finally stopped by the "Max retries exceeded with URL" after five times retrying. "2022-09-28 23:56:53,529 ERROR pid=25364 tid=MainThread file=base_modinput.py:log_error:316 | Get error when collecting events. Traceback (most recent call last): File ""/opt/splunk/etc/apps/TA-MS-AAD/lib/urllib3/connectionpool.py"", line 449, in _make_request six.raise_from(e, None) File ""/opt/splunk/etc/apps/TA-MS-AAD/lib/urllib3/util/retry.py"", line 592, in increment raise MaxRetryError(_pool, url, error or ResponseError(cause)) urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='graph.microsoft.com', port=443): Max retries exceeded with url: /v1.0/auditLogs/directoryAudits?$orderby=activityDateTime&$filter=activityDateTime+gt+2022-09-21T23:56:27.306392Z+and+activityDateTime+le+2022-09-28T23:49:27.438651Z (Caused by ReadTimeoutError(""HTTPSConnectionPool(host='graph.microsoft.com', port=443): Read timed out. (read timeout=5)"")) 2022-09-28 23:56:27,438 DEBUG pid=25364 tid=MainThread file=base_modinput.py:log_debug:298 | _Splunk_ input_name=Prod_AAD_Audit5 Audit URL used: https://graph.microsoft.com/v1.0/auditLogs/directoryAudits?$orderby=activityDateTime&$filter=activityDateTime+gt+2022-09-21T23:56:27.306392Z+and+activityDateTime+le+2022-09-28T23:49:27.438651Z 2022-09-28 23:56:32,458 DEBUG pid=25364 tid=MainThread file=retry.py:increment:594 | Incremented Retry for (url='/v1.0/auditLogs/directoryAudits?$orderby=activityDateTime&$filter=activityDateTime+gt+2022-09-21T23:56:27.306392Z+and+activityDateTime+le+2022-09-28T23:49:27.438651Z'): Retry(total=2, connect=3, read=2, redirect=None, status=None)
... View more