Check your strftime is correct in the props.conf

A simple method on checking if your strftime (TIME_FORMAT=) in the props.conf matches your log file timestamp format. strftime(X,Y) This function takes a UNIX time value, X, as the first argument and renders the time as a string using the format specified by Y. The UNIX time must be in seconds. Use the first 10 […]

Continue Reading →

Remove Z or T string from your Timestamp

| rest /services/authentication/current-context | table username roles updated | search username!=splunk-system-user | rex field=updated (?<timestampA>\d{4}-\d{2}-\d+)T(?<timestampB>\d+:\d+:\d+.\d+) | eval timestamp= timestampA + timestampB | eval timestamp = strptime(timestamp, “%Y-%m-%d%H:%M:%S.%3N”) | eval timestamp=strftime(timestamp, “%c”) |fields – timestampA timestampB

Continue Reading →

Find passwords in User_Name field

This eval for password can be easily used for any field where a user can accidentally type in a password or even worse both username/password during login which generates a failed event.   Below example is for Windows failed login.  The eval will match 10 or more characters with 1 uppercase, 1 lower case, 1 […]

Continue Reading →