cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
elle118
Engager
Member since: ‎03-19-2015
‎04-27-2021
Community Statistics
Posts 2
Solutions 1
Karma Given 0
Karma Received 3
Member Since ‎03-19-2015
Topics I've Started
No posts to display.
View All

Re: Issue on Dropdown timepicker on Dashboard

by in Dashboards & Visualizations
‎06-19-2019 02:45 AM
2 Karma
‎06-19-2019 02:45 AM
2 Karma
Hi, @iancorrea Let's check how to use the relative_time function. You must specify UNIX time in the first argument. https://docs.splunk.com/Documentation/Splunk/7.3.0/SearchReference/DateandTimeFunctions For the problem you are facing, converting to UNIX time with strptime function first will give you the expected result. ex) | eval etime = strptime("$_emon$/$_eday$/$_eyear$:00:00:00", "%m/%d/%Y:%H:%M:%S") | eval new = relative_time(etime,"-2228000") ... View more

Re: Unable to receive the logs from Microsoft Azur...

by in All Apps and Add-ons
‎05-31-2019 12:01 AM
1 Karma
‎05-31-2019 12:01 AM
1 Karma
Hi @subbarayudu, When I faced the same problem, I could improve the collection rate to over 99% by modifying the API calls that collect events (Sign-ins and Audit Logs) as follows. ex) When the delay time is 5 minutes $SPLUNK_HOME/etc/apps/TA-MS-AAD/bin/input_module_MS_AAD_audit.py 50 event_source = "tenant_id:%s" % tenant_id 51 query_date = get_start_date(helper, check_point_key) 52 query_date_end = (datetime.datetime.utcnow() - datetime.timedelta(minutes=5)).strftime('%Y-%m-%dT%H:%M:%S.%fZ') 53 access_token = azauth.get_access_token(client_id, client_secret, tenant_id) 54 55 if(access_token): 56 url = "https://graph.microsoft.com/beta/auditLogs/directoryAudits?$orderby=activityDateTime&$filter=activityDateTime+gt+%s)+and+(activityDateTime+le+%s)" % (query_date, query_date_end) 57 audit_events = azutils.get_items(helper, access_token, url) $SPLUNK_HOME/etc/apps/TA-MS-AAD/bin/input_module_MS_AAD_signins.py 52 event_source = "tenant_id:%s" % tenant_id 53 query_date = get_start_date(helper, check_point_key) 54 query_date_end = (datetime.datetime.utcnow() - datetime.timedelta(minutes=5)).strftime('%Y-%m-%dT%H:%M:%S.%fZ') 55 access_token = azauth.get_access_token(client_id, client_secret, tenant_id) 56 57 if(access_token): 58 url = "https://graph.microsoft.com/beta/auditLogs/signIns?$orderby=createdDateTime&$filter=(createdDateTime+gt+%s)+and+(createdDateTime+le+%s)" % (query_date, query_date_end) 59 sign_ins = azutils.get_items(helper, access_token, url) There is no need to restart the Splunk service after fixing. The corrected API call will be executed at the next collection timing, and events from the checkpoint up to 5 minutes before the acquisition timing will be collected. If you want to check that the modified API call is being executed, you can check it from the DEBUG log of App. ex) Sign-ins 2019-05-31 15:09:23,282 DEBUG pid=32155 tid=MainThread file=connectionpool.py:_make_request:400 | https://graph.microsoft.com:443 "GET /beta/auditLogs/signIns?$orderby=createdDateTime&$filter=(createdDateTime+gt+2019-05-31T05:58:52.8129242Z)+and+(createdDateTime+le+2019-05-31T06:04:22.013821Z) HTTP/1.1" 200 None ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎04-27-2021 03:16 AM
Karma from
View All