Hi All, The Bloodhound TA creates a KV store lookup. I've been asked to take the entries in the KV store and turn them into events. I've setup an alert, but I'm not seeing the alert fire. The SPL...
See more...
Hi All, The Bloodhound TA creates a KV store lookup. I've been asked to take the entries in the KV store and turn them into events. I've setup an alert, but I'm not seeing the alert fire. The SPL looks like this | inputlookup path_principals_lookup
| eval domain_id=if(isnull(domain_id), "NULL_domain_id", domain_id)
| eval domain_name=if(isnull(domain_name), "NULL_domain_name", domain_name)
| eval group=if(isnull(group), "NULL_Group", group)
| eval non_tier_zero_principal=if(isnull(non_tier_zero_principal), "NULL_non_tier_zero_principal", non_tier_zero_principal)
| eval path_id=if(isnull(path_id), "NULL_path_id", path_id)
| eval path_title=if(isnull(path_title), "NULL_path_title", path_title)
| eval principal=if(isnull(principal), "NULL_principal", principal)
| eval tier_zero_principal=if(isnull(tier_zero_principal), "NULL_tier_zero_principal", tier_zero_principal)
| eval user=if(isnull(user), "NULL_user", user)
| dedup domain_id, domain_name, group, non_tier_zero_principal, path_id, path_title, principal, tier_zero_principal, user I see statistics, but that doesn't fire the alert. Is there something I'm missing to turn the values in the kvstore into events to be alerted on? TIA, Joe