I am trying to use the auditd app for Splunk and one of the errors that are thrown is "command="predict", data is not periodic"
when trying to generate the Anomalous Event Volume portion of the Security Operations Center dashboard.
Does anyone have any solutions for this?
Hi @jm255,
Are you still receiving this error? It sounds like either the app hasn't yet been configured [correctly] or sufficient auditd events haven't yet been ingested. To confirm that to be the case, please run this search back 24hrs: [|inputlookup auditd_indices] [|inputlookup auditd_sourcetypes]
If the search above doesn't return events, please ensure you've completed the installation configuration: https://github.com/doksu/splunk_auditd/wiki/Installation-and-Configuration
Hi doksu, I installed your app auditd but the searches fail. This search |inputlookup auditd_indices and | inputlookup auditd_sourcetypes are working correctly but [|inputlookup auditd_sourcetypes] search is not returning any result. And the data is in the right index and sourcetype. Do you know how I can fix this?