No Answer? I have resolved.
My event: {"DetailsUrl": "/Orion/NetPerfMon/OrionMessages.aspx?ShowOrionMessageTypes=audit%3b", "AuditEventMessage": "User **\** logged in from *****.", "TimeLoggedUtc": "2018-03-29T01:42:32.7370000Z", "DisplayName": "\***** logged in from *****.", "NetObjectType": null, "ActionTypeID": 1, "AuditEventID": 3519, "NetworkNode": null, "AccountID": "\*****", "NetObjectID": null}
I have changed my sql like this:
SELECT AuditEventID, TimeLoggedUtc, AccountID, ActionTypeID, AuditEventMessage, NetworkNode, NetObjectID, NetObjectType, DetailsUrl, DisplayName FROM Orion.AuditingEvents WHERE TimeLoggedUtc > AddMinute(-10,GETUTCDATE()) order by TimeLoggedUtc DESC
I am feeling splunk does't find the time automatically. Then I configured TIME_PREFIX. Done
[solarwinds:generic]
TIME_PREFIX = "TimeLoggedUtc":\s"
TIME_FORMAT = %Y-%m-%dT%T.%7N%Z
... View more