Hi, I know a similar question has been asked a million times, but I've tried all the solutions and nothing is working so I'm at my wits end with this. Essentially, my search is just finding AD accounts that are still active but their expiry date has passed the current time of the search (expired but still active accounts). My search query is this: index=activedirectory sourcetype="ad:identity" NOT(expiry="(never)") category=normal | eval time_now = strftime(_time, "%d/%m/%Y %H:%M:%S") | eval expiry_readable = strftime(expiry, "%d/%m/%Y %H:%M:%S") | table time_now, identity, nick, email, expiry_readable, category | rename time_now as "Current Time", nick as "Name", identity as "Username", email as "Email", category as "Account Status" | dedup Username, Name, Email | sort -expiry_readable I've tried strptime as well but nothing is working. My table statistics just show all blanks for expiry_readable which is really infuriating as I need the eval command to work so I can further filter down results based on that timestamp. FYI, the field in my events is called 'expiry' by default from the logs, and it returns timestamps such as: "2019-12-12T16:00:00Z" Also, I have tried things such as: where(expiry <= now()) and where(expiry <= _time), where(expiry <= time_now) but none of that works either (to filter down results based on the time I need)... Any solutions would be appreciated. ... View more

Hi, Our text search bar filter works for all panels but one. However, it does load new data initially when booting the dashboard. According to the user which uses this dashboard, it stopped working after one of our Splunk admins added the _time field in the table (I don't feel this is the case). Below is the search query for the panel NOT working with our search bar filter: sourcetype=cerberus-ftp host=SERVER_NAME (src_ip="" OR user="" OR (file="" AND file_action="")) * | transaction connection_id | mvexpand file | mvexpand file_action | rex field=file_action mode=sed "s/stored/Uploaded/g" | rex field=file_action mode=sed "s/sent/Downloaded/g" | rex field=file_action mode=sed "s/deleted/Deleted/g" | search file_action=Uploaded | table _time, file, file_action | dedup file Below are the three dashboard panel search queries which ARE working with our search bar filter: host=SERVER_NAME sourcetype="SOURCE" EventCode!=500 *PRD | table _time, SourceName, EventCode, file | eval SourceName = mvindex(SourceName,0) | lookup workday_sftp_sql_eventcodes EventCode OUTPUT Action | fields _time, SourceName, file, Action | sort -_time | table file | dedup file sourcetype=cerberus-ftp host=SERVER_NAME(src_ip="" OR user="" OR (file="" AND file_action="")) *PRD | transaction connection_id | mvexpand file | mvexpand file_action | rex field=file_action mode=sed "s/stored/Uploaded/g" | rex field=file_action mode=sed "s/sent/Downloaded/g" | rex field=file_action mode=sed "s/deleted/Deleted/g" | table _time, connection_id, user, src_ip, file, file_action host=SERVER_NAME sourcetype="SOURCE" EventCode!=500 *PRD | table _time, SourceName, EventCode, file | eval SourceName = mvindex(SourceName,0) | lookup workday_sftp_sql_eventcodes EventCode OUTPUT Action | fields _time, SourceName, file, Action | sort -_time Any help with this is greatly appreciated! Fraser ... View more