×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
aculveruwo
Explorer
Member since: ‎07-09-2015
‎06-05-2020
Community Statistics
Posts 5
Solutions 1
Karma Given 2
Karma Received 1
Member Since ‎07-09-2015
Activity Feed
View All

Re: what is the format to use for a date in a sear...

by Splunk Employee in Splunk Search
‎07-20-2021 06:36 AM
‎07-20-2021 06:36 AM
Thread necromancy I know, but this answer still pops up on the first page of Google results.  If you are trying to set the earliest/latest time in SimpleXML, you need to use either a relative time or Unix epoch time - the date format as described in the original solution does not work afaik. This is documented here: https://docs.splunk.com/Documentation/SplunkCloud/latest/Viz/PanelreferenceforSimplifiedXML#search If you are trying to set earliest/latest using SPL, I think yannk's answer is still correct and the reference on this page is correct: https://docs.splunk.com/Documentation/SplunkCloud/latest/Search/Specifytimemodifiersinyoursearch#Specify_relative_time_ranges_in_your_search ... View more

Re: Why am I unable to capture an accurate timesta...

by in Getting Data In
‎12-17-2015 10:00 AM
‎12-17-2015 10:00 AM
Add this to your props.conf : TIME_PREFIX = ^(?:"[^"]*",){5}" Also change GMT to UTC . ... View more

Re: How to filter transaction results based on res...

by in Splunk Search
‎10-27-2015 02:16 PM
‎10-27-2015 02:16 PM
Figured it out using a join. host=ADFS* sourcetype="WinEventLog:Security" (EventCode=4624 OR EventCode=501 OR EventCode=299 OR EventCode=410) | fields _time, Account_Name, Security_ID, Activity_ID, Instance_ID, X_MS_Forwarded_Client_IP, EventCode | eval Account_Name=mvindex(Account_Name, 1) | rex field=X_MS_Forwarded_Client_IP mode=sed "s/(,\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})//" | transaction Security_ID Activity_ID Instance_ID maxspan=10s startswith=EventCode=4624 endswith=EventCode=410 | join X_MS_Forwarded_Client_IP [ search index="its-o365-audit" Status=Delivered SenderAddress="<>" FromIP!=129.100.* FromIP!=10.* | top 100 FromIP | search count>5 | table FromIP | rename FromIP as X_MS_Forwarded_Client_IP ] | rename X_MS_Forwarded_Client_IP as IP | stats count by Account_Name, IP ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM
Karma from
View All
Karma given to
View All