Hi All I am using Office365,  i have an office365 unified group and users are getting removed from this office365 group automatically everyday.  I want to get the data who has removed or added the users to this group. When i use the below query, I am not getting any output please guide me. Lets say my group name is MyGroup1 and its email address is MyGroup1@contoso.com sourcetype=o365:management:activity (Operation="*group*") unifiedgroup="*MyGroup1*" | rename ModifiedProperties{}.NewValue AS ModAdd | rename ModifiedProperties{}.OldValue AS ModRem | rename UserId AS "Actioned By" | rename Operation AS "Action" | rename ObjectId AS "Member" | rename TargetUserOrGroupName as modifiedUser | table _time, ModAdd, ModRem, "Action", Member, "Actioned By" "modifiedUser" | stats dc values("modifiedUser") by Action "Actioned By" ... View more

Hi All i have an unified group(i.e office365 unified group) created from Office365.  i want to know membership details i.e who has added/removed users to this group. This group will also be visible in Azure AD. i can check audit logs in Azure AD and it shows only for a month. i am trying below splunk query to fetch membership information from both Azure AD and office365 but i am not getting output. ug@contoso.com is my group  name     sourcetype=azure*:management:activity (Operation="*Change user*" OR Operation="*Update user*") ObjectId="*ug@contoso.com*" (UserId!="Certificate" AND UserId!="ServicePrincipal*" AND UserId!="Sync*") (ModifiedProperties{}.NewValue!=" " AND ModifiedProperties{}.OldValue!=" ") | rename ModifiedProperties{}.NewValue AS ModAdd | rename ModifiedProperties{}.OldValue AS ModRem | rename UserId AS "Actioned By" | rename Operation AS "Action" | rename ObjectId AS "Member" | sort -_time | table _time, ModAdd, ModRem, "Action", Member, "Actioned By"             ... View more

Hi All I have a room mailbox in office365 and i want to get the information of how many meetings were booked for one month. i am using the below two queries but i am not getting the output. can anyone help me correct the syntax. Query1 index=mail sourcetype="ms:o365:reporting:messagetrace" | rename RecipientAddress as email | lookup meeting_rooms email | search NOT subject=Canceled:* | bucket _time span=1h | stats dc(email) as invited values(name) as room_name values(email) as invitees by SenderAddress subject _time | rename subject as meeting_subject | search room_name="room1@mydomain.com" | lookup meeting_rooms name as room_name outputnew email as room_email | stats sum(invited) as room_total by room_name room_email Query2 index=mail sourcetype="ms:o365:reporting:messagetrace" | rename RecipientAddress as email | lookup meeting_rooms email | search NOT subject=Canceled:* | bucket _time span=1h | stats dc(email) as invited values(name) as room_name values(email) as invitees by SenderAddress subject _time | rename subject as meeting_subject | search room_name="Room1" | stats sum(invited) as room_total by room_name ... View more

On one of my RHEL 7.9 server, i am seeing splunk service is Active:active(exited). i am using 8.2.2.0. please guide me to fix the issue. [root@srv01 ~]# systemctl -l | grep -i splunk splunk.service loaded active exited SYSV: Splunk indexer service [root@srv01 ~]# systemctl status splunk.service Active: active (exited) ... View more

Hi All i have an exchange onprem distribution list, lets say dl@mydomain.com i want to know how many emails are triggered to this DL in one year, experts please help me with the splunk query to get this information. ... View more

Hi All I have an AD Account how can i know what modifications has been done in last one month on this account from splunk and who has modified. i want to export this information to csv file. ... View more

Hi All i have a requirement to upgrade splunk forwarder from 7.1 to 7.3.3, I will use sccm to upgrade to 7.3.3, experts please help me with silent string without reboot option to perform the upgrade. ... View more