Splunk Cloud Platform

Splunk integration with MTE not sending every record

senthild
Explorer
 
 
 splunk query "Orca High Alerts" is connected to snow TEST environment. It is showing many more close records than open records. When filtering the splunk query results with a wide time window and a unique event id on splunk side both open and close lines appear but both have exact same timestamp - suspect splunk only sends the close if the open and the close have the exact same timestamp - is there a way to validate this?
Labels (2)
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content ...

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...