I forgot to mention that there is a great place to test your code and it has a codex of regex commands to reference. https://regex101.com/ ... View more

This will work much better and faster then my previous regex. ... View more

If there is more data after page: then use this: "action":"(?<test>\w+|.+)" This will grab everything inside the quotes ... View more

Hi dwong2, Try it in https://regex101.com/ "action":"(?<test>\w+|.+)" Basically you want to tell regex to search for "Action" and group any of the results into a field we can call on later, which in this example I named "test". ... View more

Hey jcal, Take a look at this article and see if that helps: http://dev.splunk.com/view/quickstart/SP-CAAAFDH ... View more

Hey, so the below eval will run against the current time, then extract the current month and label it as currentmonth: | eval currentmonth=relative_time(now(), "@mon") For example "currentmonth" returns this value today: 1522562400.000000 Put that into a website like this : https://www.epochconverter.com/ Then you have a epoch time that Splunk created for the begining of the month: GMT: Sunday, April 1, 2018 6:00:00 AM Then the @mon part of the search, extracts specifically the month from the currently time. You could easily tweak this to do the same to which ever field is generating your date and time. | eval new_date=strftime(strptime(<yourfield>, "%Y-%m-%d %H:%M:%S"),"%m") ## This will convert your field into epoch time. Then you could use something like below to tell your search which month you are looking for. | eval end=relative_time(now(), "@mon") | eval start=relative_time(now(),"-1mon@mon") | where new_date <= end AND new_date >= start AND _time <= end AND _time >= start | ... View more

I used this Splunk answers when i ran into this problem: https://answers.splunk.com/answers/499990/is-it-possible-to-assign-different-timestamps-base.html I forgot to mention I also had to use Transforms ... View more

I believe I had to teach Splunk to recognize the different using Regex and the time_format props.conf settings. The Add data GUI in the SH really helped me accomplish this as i could test my regex and time_format settings on the fly and see how it would affect my data before it was ingested. ... View more

Hey Rkassabov, Try something like this: Your search | eval currentmonth=relative_time(now(), "@mon") | eval previousmonth=relative_time(now(),"-1mon@mon") | In your case you can use whatever field generates 2018-02-22 21:54:00.380000 and have eval convert it to a month and then use more evals to do the math. https://answers.splunk.com/answers/290050/how-to-extract-month-from-a-date-field-and-sort-by.html Or you can try converting the date field into Epoch Time, which I found much easier to work with. For example, I wanted to see only tickets from the previous month in my ticketing system (however my resolved_at field was hard to work with so I converted it to epoch time): | eval Rtime=strptime(resolved_at, "%Y-%m-%d %H:%M:%S") | eval end=relative_time(now(), "@mon") | eval start=relative_time(now(),"-1mon@mon") | where Rtime <= end AND Rtime >= start AND _time <= end AND _time >= start | ... View more

Hey Jim, You may need to try something like this http://docs.splunk.com/Documentation/Splunk/7.0.2/Data/Configuretimestamprecognition I had a similar issue where one event would have milliseconds but the other did not, so I create a props.conf for it. TIME_FORMAT = <strptime-style format> In your case I think it would look something like this: TIME_FORMAT =%Y-%m-%dT%H:%M:%S.%q You can play with this in the GUI to see how it works, if you have a sample log and try Settings>Add Data>Upload ... View more

Hey Akunec, Have a look at https://docs.splunk.com/Documentation/SA-LdapSearch/2.1.6/User/Theldapsearchcommand ... View more

Yeah we had similar issues with the data, our work around was to just gather everything in a lookup daily, then run searches off the lookup tables. ... View more

Maybe something like this? search memberOf="CN=Patch*" AND memberOf=(OU=Patches,OU=Wintel,DC=Mydomain,DC=com) ... View more