Splunk Enterprise Security

Sequence Template/Events Bug (not working) with Splunk ES version 5.2.2?

plimon
Explorer

Hello Splunk Community,

My organization has recently upgraded to Splunk ES 5.2.2. I have been trying to create a custom sequence template and test the concept. I have followed the directions outlined in this documentation link: https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Sequencecorrelationsearches

My custom sequence template is enabled, sequence analysis is turned on via general settings:
However, I do not see a a "next scheduled time" applied to my template.

I have also attempted to manually force an invocation of this macro through the following:
execute_sequence_template(template_name, true)

I get 1 record result returned (which I expect). However, there is no sequence event created through the notable events page.
I also do not see any errors or warn messages within the _internal logs for my custom sequence template.
Is this a bug with version 5.2.2?

0 Karma

p_gurav9491
Loves-to-Learn Everything

Hello,

I am facing similer issue. Do you found any resolution?

0 Karma

p_gurav9491
Loves-to-Learn Everything

Hello,

I am facing similer issue. Do you found any resolution?

0 Karma
Get Updates on the Splunk Community!

Message Parsing in SOCK

Introduction This blog post is part of an ongoing series on SOCK enablement. In this blog post, I will write ...

Exploring the OpenTelemetry Collector’s Kubernetes annotation-based discovery

We’ve already explored a few topics around observability in a Kubernetes environment -- Common Failures in a ...

Use ‘em or lose ‘em | Splunk training units do expire

Whether it’s hummus, a ham sandwich, or a human, almost everything in this world has an expiration date. And, ...