Something like the following may work for you:
<base search>
| eval end_time=strptime("1/1/2020", "%m/%d/%Y")
| eval time_in_days = round((end_time - now()) / 86400, 2)
| table time_in_days
time_in_months can be a little bit harder because of the variable length of days per month.
... View more
I suspect what you're seeing on the y axis is the unique count of times a specific requestTime was seen.
If you change your query from:
timechart span=1h distinct_count(requestTime) by SP useother=false
To:
stats distinct_count(requestTime) by SP
We should see a count of distinct values... so for example if requestTime had five cases where it was 2300 ms and 10 cases where it was 2500 ms then distinct_count would be 2. I don't think this is what you're looking for.
Instead, maybe try something like the following:
host=<hostname> index=<index name> sourcetype="sourcetype name>" SP="8*"
| rex field=_raw "TM=(?<requestTime>\d+)"
| eval reqtimesec = round(requestTime/1000, 2)
| timechart span=1h max(reqtimesec) as maxt, min(reqtimesec) as mint, avg(reqtimesec) as avgt by SP useother=false
| eval warning=10
This will give you the average, max time, and min time of a specific SP (which looks a lot like SSO data to me :-D)
Hope that helps!
... View more
No problem 🙂
Would you mind posting the solution though for future folks? - especially if the documentation that you mentioned was lacking something important.
... View more
You might not be getting the level of responses you want here because your question "what could be wrong" is answered within the message you posted: "Insufficient Access Error".
This is an error on the Microsoft side, likely meaning you have some configuration problem in Azure.
Edit: https://www.splunk.com/blog/2018/04/20/splunking-microsoft-azure-monitor-data-part-1-azure-setup.html may be helpful.
... View more
Would something like the following meet your needs?
source=sourcetype
| stats values(fieldB) by fieldA
or maybe
source=sourcetype
| stats values(fieldB), values(_time) as time by fieldA
| convert ctime(time)
... View more
A step-by-step approach might look something like this:
EventCode=4725 OR EventCode=4722 earliest=-60d
| eval account=mvindex(Account_Name,1)
| stats values(_time) as times, earliest(EventCode) as firstEvent, latest(EventCode) as lastEvent by account
| replace "4722" with "enabled" in firstEvent, lastEvent
| replace "4725" with "disabled" in firstEvent, lastEvent
| search account != "*\$" AND firstEvent != "enabled" AND lastEvent != "disabled"
| convert ctime(times)
| table times, firstEvent, lastEvent, account
Presuming your data source is Active Directory and you've got some parsing happening!
... View more
Your solution seems okay to me... maybe something like this:
| rex field=MyInconsistentDateTimeField "(?<d>[^//]*)/(?<m>[^//]*)/(?<y>[^\s]*)\s+(?<h>[^:]*):(?<min>[^:]*)(:(?<sec>.*))?"
| eval y = substr(y, len(y)-1,2)
| fillnull value="00" sec
| eval newTime=printf("%02d/%02d/%02d %02d:%02d:%02d", d,m, y,h,min,sec)
| eval parsed=strptime(newTime,"%d/%m/%y %l:%M:%S")
There may be a better way - but this I think this'd work to normalize the field.
... View more
Sounds like the permissions on the filesystem got screwed up. Check to make sure the account splunk is running as can actually delete the files.
... View more