All Apps and Add-ons

Linux Auditd app - Is the SPL for the Anomalous Event Volume panel broken?

chris_barrett
SplunkTrust
SplunkTrust

We've just installed version 3..0.0 of the App on a v7.1.1 system and I suspect that the SPL for the Anomalous Event Volume search is broken.

The rename portion is: ... | rename lower95(prediction(count)) as lower, upper95(prediction(count)) as upper | ... but the predict command is being used to predict count but naming it as 'prediction', which is causing the renames to fail. I believe that the fix is to remove the "as prediction" from the predict command.

Is anyone able to confirm if this is the case?

Tags (1)
1 Solution

doksu
Contributor

Thanks very much for letting me know. It’s now been rectified in v3.0.1 and published on Splunkbase.

View solution in original post

doksu
Contributor

Thanks very much for letting me know. It’s now been rectified in v3.0.1 and published on Splunkbase.

doksu
Contributor

Yes, I think you’re right. Please standby for an update. Should be available by Monday.

Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...