Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Paychex Cover Your Assets - losing alert Time Range

Keith_wgtn
Explorer
‎11-03-2021 10:24 PM

Hi All,  

and @dmarling and @efavreau 

I have been using the Paychex Cover Your Assets techniques from the 2019 Splunk Conference to export user config and load into Splunk Cloud.  I have used it for a few sites but with the latest site I have a problem where Alerts defined with Time Range set to Custom have loaded into cloud with Time Range set to "All Time".

This will obviously cause a performance problem especially as many alerts run frequesntkly and usually the Time Range is set to 5 minutes.

Has anyone else noticed these settings being lost in the Paychex process?  

For example this:

Keith_wgtn_1-1636003206690.png

 

Keith_wgtn_0-1636003154961.png

has become:

Keith_wgtn_2-1636003235046.png

 

I have checked and can see the that the first Paycheck SPL worked fineas I can find these fields in the resulting csv:

Keith_wgtn_3-1636003293413.png

But the second Paychex SPL that assembles the CreateCurl has dropped these fields:

 

curl -k -H "Authorization: Splunk XXXXXXXXXXXXXXXX/servicesNS/nobody/search/saved/searches -d name="AWS ASG ELB Activity" -d search="%28index%3Daws%20OR%20index%3Dclick%29%20sourcetype%3D%22aws%3Acloudtrail%22%20%20userAgent%3D%22autoscaling%2Eamazonaws%2Ecom%22%20accountName%3DProduction%20%20%28eventName%3D%20%20%22DeregisterInstancesFromLoadBalancer%22%20OR%20%20eventName%3D%20%22RegisterInstancesWithLoadBalancer%22%29%7C%20spath%20path%3DrequestParameters%2Einstances%7B%7D%2EinstanceId%20output%3Dinstances%20%20%20%7C%20eval%20slack%5Fmessage%20%3D%20strftime%28%5Ftime%2C%20%22%20%25Y%2D%25m%2D%25d%20%25H%3A%25M%3A%25S%22%29%20%2E%20%22%20autoscaling%20%22%7Ceval%20slack%5Fmessage%20%3D%20slack%5Fmessage%20%2E%20if%28eventName%3D%22RegisterInstancesWithLoadBalancer%22%2C%20%22%20added%20%22%2C%20%22%20removed%20%22%29%20%7Ceval%20instance%5Ftotal%3Dmvcount%28%09%0A%27responseElements%2Einstances%7B%7D%2EinstanceId%27%29%7Ceval%20instance%5Fcount%3Dmvcount%28instances%29%20%7C%20eval%20instance%5Flist%3Dmvjoin%28instances%2C%22%3B%22%29%20%20%7C%20eval%20slack%5Fmessage%20%3D%20slack%5Fmessage%20%2E%20instance%5Fcount%20%2E%20if%28instance%5Fcount%3D1%2C%20%22%20instance%22%2C%20%22%20instances%22%29%20%2E%20if%28eventName%3D%22RegisterInstancesWithLoadBalancer%22%2C%20%22%20to%22%2C%20%22%20from%22%29%20%2E%20%22%20load%20balancer%20%22%20%2E%20%27requestParameters%2EloadBalancerName%27%20%2E%20%22%2C%20new%20instance%20count%20is%20%22%20%2E%20instance%5Ftotal%20%2E%20%22%20%28%22%20%2E%20instance%5Flist%20%2E%22%29%22%20%7C%20table%20%20slack%5Fmessage%20%7Csort%20%2Dslack%5Fmessage" -d description="" -d auto_summarize.cron_schedule="%2A%2F10%20%2A%20%2A%20%2A%20%2A" -d cron_schedule="%2A%2F5%20%2A%20%2A%20%2A%20%2A" -d is_scheduled="1" -d schedule_window="0" -d action.email="0" -d action.email.sendresults="" -d action.email.to="" -d action.keyindicator.invert="0" -d action.makestreams.param.verbose="0" -d action.notable.param.verbose="0" -d action.populate_lookup="0" -d action.risk.param.verbose="0" -d action.rss="0" -d action.script="0" -d action.slack="1" -d action.slack.param.channel="%23digital%2Dprod%2Daudit" -d action.slack.param.message="%24result%2Eslack%5Fmessage%24" -d action.summary_index="0" -d action.summary_index.force_realtime_schedule="0" -d actions="slack" -d alert.digest_mode="0" -d alert.expires="24h" -d alert.managedBy="" -d alert.severity="3" -d alert.suppress="0" -d alert.suppress.fields="" -d alert.suppress.group_name="" -d alert.suppress.period="" -d alert.track="0" -d alert_comparator="greater%20than" -d alert_condition="" -d alert_threshold="0" -d alert_type="number%20of%20events" -d display.events.fields="%5B%22host%22%2C%22source%22%2C%22sourcetype%22%5D" -d display.events.list.drilldown="full" -d display.events.list.wrap="1" -d display.events.maxLines="5" -d display.events.raw.drilldown="full" -d display.events.rowNumbers="0" -d display.events.table.drilldown="1" -d display.events.table.wrap="1" -d display.events.type="list" -d display.general.enablePreview="1" -d display.general.migratedFromViewState="0" -d display.general.timeRangePicker.show="1" -d display.general.type="statistics" -d display.page.search.mode="verbose" -d display.page.search.patterns.sensitivity="0%2E8" -d display.page.search.showFields="1" -d display.page.search.tab="statistics" -d display.page.search.timeline.format="compact" -d display.page.search.timeline.scale="linear" -d display.statistics.drilldown="cell" -d display.statistics.overlay="none" -d display.statistics.percentagesRow="0" -d display.statistics.rowNumbers="0" -d display.statistics.show="1" -d display.statistics.totalsRow="0" -d display.statistics.wrap="1" -d display.visualizations.chartHeight="300" -d display.visualizations.charting.axisLabelsX.majorLabelStyle.overflowMode="ellipsisNone" -d display.visualizations.charting.axisLabelsX.majorLabelStyle.rotation="0" -d display.visualizations.charting.axisLabelsX.majorUnit="" -d display.visualizations.charting.axisLabelsY.majorUnit="" -d display.visualizations.charting.axisLabelsY2.majorUnit="" -d display.visualizations.charting.axisTitleX.text="" -d display.visualizations.charting.axisTitleX.visibility="visible" -d display.visualizations.charting.axisTitleY.text="" -d display.visualizations.charting.axisTitleY.visibility="visible" -d display.visualizations.charting.axisTitleY2.text="" -d display.visualizations.charting.axisTitleY2.visibility="visible" -d display.visualizations.charting.axisX.abbreviation="none" -d display.visualizations.charting.axisX.maximumNumber="" -d display.visualizations.charting.axisX.minimumNumber="" -d display.visualizations.charting.axisX.scale="linear" -d display.visualizations.charting.axisY.abbreviation="none" -d display.visualizations.charting.axisY.maximumNumber="" -d display.visualizations.charting.axisY.minimumNumber="" -d display.visualizations.charting.axisY.scale="linear" -d display.visualizations.charting.axisY2.abbreviation="none" -d display.visualizations.charting.axisY2.enabled="0" -d display.visualizations.charting.axisY2.maximumNumber="" -d display.visualizations.charting.axisY2.minimumNumber="" -d display.visualizations.charting.axisY2.scale="inherit" -d display.visualizations.charting.chart="column" -d display.visualizations.charting.chart.bubbleMaximumSize="50" -d display.visualizations.charting.chart.bubbleMinimumSize="10" -d display.visualizations.charting.chart.bubbleSizeBy="area" -d display.visualizations.charting.chart.nullValueMode="gaps" -d display.visualizations.charting.chart.overlayFields="" -d display.visualizations.charting.chart.rangeValues="" -d display.visualizations.charting.chart.showDataLabels="none" -d display.visualizations.charting.chart.sliceCollapsingThreshold="0%2E01" -d display.visualizations.charting.chart.stackMode="default" -d display.visualizations.charting.chart.style="shiny" -d display.visualizations.charting.drilldown="all" -d display.visualizations.charting.fieldColors="" -d display.visualizations.charting.fieldDashStyles="" -d display.visualizations.charting.gaugeColors="" -d display.visualizations.charting.layout.splitSeries="0" -d display.visualizations.charting.layout.splitSeries.allowIndependentYRanges="0" -d display.visualizations.charting.legend.labelStyle.overflowMode="ellipsisMiddle" -d display.visualizations.charting.legend.mode="standard" -d display.visualizations.charting.legend.placement="right" -d display.visualizations.charting.lineWidth="2" -d display.visualizations.custom.drilldown="all" -d display.visualizations.custom.height="" -d display.visualizations.custom.type="" -d display.visualizations.mapHeight="400" -d display.visualizations.mapping.choroplethLayer.colorBins="5" -d display.visualizations.mapping.choroplethLayer.colorMode="auto" -d display.visualizations.mapping.choroplethLayer.maximumColor="0xaf575a" -d display.visualizations.mapping.choroplethLayer.minimumColor="0x62b3b2" -d display.visualizations.mapping.choroplethLayer.neutralPoint="0" -d display.visualizations.mapping.choroplethLayer.shapeOpacity="0%2E75" -d display.visualizations.mapping.choroplethLayer.showBorder="1" -d display.visualizations.mapping.data.maxClusters="100" -d display.visualizations.mapping.drilldown="all" -d display.visualizations.mapping.legend.placement="bottomright" -d display.visualizations.mapping.map.center="%280%2C0%29" -d display.visualizations.mapping.map.panning="1" -d display.visualizations.mapping.map.scrollZoom="0" -d display.visualizations.mapping.map.zoom="2" -d display.visualizations.mapping.markerLayer.markerMaxSize="50" -d display.visualizations.mapping.markerLayer.markerMinSize="10" -d display.visualizations.mapping.markerLayer.markerOpacity="0%2E8" -d display.visualizations.mapping.showTiles="1" -d display.visualizations.mapping.tileLayer.maxZoom="7" -d display.visualizations.mapping.tileLayer.minZoom="0" -d display.visualizations.mapping.tileLayer.tileOpacity="1" -d display.visualizations.mapping.tileLayer.url="" -d display.visualizations.mapping.type="marker" -d display.visualizations.show="1" -d display.visualizations.singlevalue.afterLabel="" -d display.visualizations.singlevalue.beforeLabel="" -d display.visualizations.singlevalue.colorBy="value" -d display.visualizations.singlevalue.colorMode="none" -d display.visualizations.singlevalue.drilldown="none" -d display.visualizations.singlevalue.numberPrecision="0" -d display.visualizations.singlevalue.rangeColors="%5B%220x53a051%22%2C%20%220x0877a6%22%2C%20%220xf8be34%22%2C%20%220xf1813f%22%2C%20%220xdc4e41%22%5D" -d display.visualizations.singlevalue.rangeValues="%5B0%2C30%2C70%2C100%5D" -d display.visualizations.singlevalue.showSparkline="1" -d display.visualizations.singlevalue.showTrendIndicator="1" -d display.visualizations.singlevalue.trendColorInterpretation="standard" -d display.visualizations.singlevalue.trendDisplayMode="absolute" -d display.visualizations.singlevalue.trendInterval="" -d display.visualizations.singlevalue.underLabel="" -d display.visualizations.singlevalue.unit="" -d display.visualizations.singlevalue.unitPosition="after" -d display.visualizations.singlevalue.useColors="0" -d display.visualizations.singlevalue.useThousandSeparators="1" -d display.visualizations.singlevalueHeight="115" -d display.visualizations.trellis.enabled="0" -d display.visualizations.trellis.scales.shared="1" -d display.visualizations.trellis.size="medium" -d display.visualizations.trellis.splitBy="" -d display.visualizations.type="charting"

 

I really like this process and am keen to work out a solution but am asking in case someone else has already resolved it.

Thanks heaps.

Labels (1)
Labels
0 Karma
Reply

Keith_wgtn
Explorer
‎11-07-2021 07:59 PM

Perhaps I can answer this myself.

At https://github.com/paychex/Splunk.Conf19 the CYA_Import_Splunk_Query SPL already has dispatch.* at the end of line 18 after lookup.*

BUT it hasnt been added to the end of lines 24 and 26. 

So it seems that someone was adding it but didnt finish it.  

But I think that is all that might be required to fix it.

Tags (1)
0 Karma
Reply

Keith_wgtn
Explorer
‎11-07-2021 08:08 PM

and line 19

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...