The issue here is actually with the rendering engine of the sparkline or something about how core splunk (not ITSI) passes the values to the sparkline for rendering. If the time range is small enough (say last 60m) then that's small enough to bucket results passed to the sparkline into 1m spans which will result in 4 out of every 5 buckets not having a datapoint. (for a 5 minute KPI anyway) Interestingly enough, as per this answers post: https://community.splunk.com/t5/Archive/Sparkline-Format/td-p/61136 the sparkline rendering can be altered in SimpleXML and I've tested it with a dashboard. It would be a total ITSI hack, but it might well be possible to identify the conf file where the sparkline rendering config is passed for the service analyzer and modify to instead show a bar chart... the following results might look something more like this... ... View more

Eric, Just like quantile, range and stddev also limit the values used to compute the thresholds, to ONLY the data points that fall within the specified time policy. I'd have to go back and re-read my blog on that section... from your perspective was I ambiguous or did I misstate that? ... View more

Playing BOTN at .Conf 2019? Well done! You found an easter egg! Easter egg question #5 Answer=2468 ... View more

READ THIS BLOG: https://www.splunk.com/blog/2018/01/19/cyclical-statistical-forecasts-and-anomalies-part-1.html You're welcome. 😉 ... View more

Ahhhh Nice! Thanks for the complement. ... View more

As promised, the final blog post for adaptive thresholding has been posted. I hope you find it helpful and please reach out to me if you want to provide feedback! ... View more

Hi... I'm in the middle of writing/publishing several multi-part blogs on ITSI alerting and thresholding best practices... I'll have a blog published (hopefully in the next couple of months) which specifically addresses adaptive thresholding, but in the meantime, I'd love to have you read the first of the series to see if some of your questions and needs are addressed... Ensuring Success with Splunk ITSI - Part 1: Thresholding Basics https://www.splunk.com/blog/2017/12/15/ensuring-success-with-itsi-threshold-and-alert-configurations.html Ensuring Success with Splunk ITSI - Part 2: Alerting Basics https://www.splunk.com/blog/2017/12/21/ensuring-success-with-splunk-itsi-part-2-alerting-basics.html Ensuring Success with Splunk ITSI - Part 3: Adaptive Thresholding https://www.splunk.com/blog/2018/01/16/ensuring-success-with-itsi-threshold-and-alert-configurations-part-2-adaptive-thresholding.html ... View more

Also, shouldn't I be trying to check against a specific field, and not against _raw? Yes, you should be. The field you will be checking against will be the name of the field from your subsearch, which in your example above is URL. I'm also fairly certain that field must be present and extracted via props/transforms for your subsearch results filtering to work. ... View more

I was working with a team that was wanting to do this as well and we explored several options and came up with the best short term option until something is officially supported in the TA. I wanted to provide that information for others that happen across this post. Our Solution • Microsoft publishes documentation on exactly how to do this with their log integrator solution. (https://docs.microsoft.com/en-us/azure/security-center/security-center-integrating-alerts-with-log-integration) This is where we landed after considering and throwing out other options. It’s well documented by Microsoft and seems fairly trivial to implement • Optionally, once the data is ingested into Splunk, the recommendation is to CIMify the data using the Alerts DM (http://docs.splunk.com/Documentation/CIM/latest/User/Alerts) • From there you can create a new Correlation Rule that regularly scans the Alerts DM for new alerts and creates notables Other Explored Options • Using the Splunk Microsoft Cloud TA to read the data from the Blob storage. During our testing we found that Alerts are stored in encrypted format in the blob storage and so using the Cloud TA in existing form is not an option because of this encryption • Using the Azure Security Center REST API (https://msdn.microsoft.com/en-us/library/mt704049.aspx) This is a viable option but has several drawbacks. The REST API input is limited. You must retrieve all active alerts on each call. There is no way to say, give me the new alerts since the last call, so deduplication needs to be managed by your calling script or in Splunk. Moreover, to mitigate potential performance impact of this limitation, you’d almost certainly have to implement bi-directional communication between ES and ASC when the notable is worked to close the alert. That was outside of the scope of what we needed to do. To be clear, I’m not saying that performance issues exist or are imminent in this design, simply that I suspect they could occur and it was enough to steer us toward the log integrator solution Caveats • As I stated previously, we didn’t/don’t have the need for bidirectional communication back to ASC. That’s a layer of complexity that wasn’t considered in our analysis, but it seems reasonable that an adaptive response action to call the ASC REST API would work for this • We've actually not yet done the integration, so while we expect smooth sailing, we could run into bumps in the road that slow us down ... View more

I ran across what I think is the same problem and posted a separate question and answer for it here: https://answers.splunk.com/answers/513409/duo-splunk-connector-error-validation-for-schemedu.html If you're running into the same issue we were this error occurs because the Mod Inputs validation on allows the validation to run for 3 seconds before forcibly terminating it. Workaround is to build the inputs.conf file manually ... View more

I ran across the same challenge when trying to compare a list of diagnosis codes on a claim to a static list of diagnosis codes in my search. I was looking for an mvintersect() or similar command... I didn't like the above idea of mvexpand creating more results given the fact that the result set was already large, so I came up with the following: index=claims | eval diags=mvdedup(mvappend(diag_1_cd, diag_2_cd, diag_3_cd, diag_4_cd)) | eval search_diags=mvdedup(mvappend("a","b")) | eval separateDiagCount = mvcount(diags) + mvcount(search_diags) | eval joinedDiagCount = mvcount(mvdedup(mvappend(diags,search_diags))) | eval hasOverlap = if(separateDiagCount != joinedDiagCount, 1,0) Yikes! Not sure if it performs, but it does what I want it to do. Feel free to consolidate to your liking... I just wanted to break down the solution to discrete steps. ... View more

This just proves that statistics hurts the brain. @kschon, we will try what you've suggested above. It's an elegant solution, and we'll look to couple it with the vix sample rate for performance. ... View more

In the testing I've done, the limitation is mostly (if not exclusively) with in Excel. Splunk is correctly preserving the leading zeros in the CSV that is generated... for example 041234567. However, through testing, it can be seen that Splunk is not/cannot (even by force using a tostring()) output those values to CSV with quotes... for example "041234567". However, the reason I say that this is an Excel limitation is because whether your CSV data is or is not wrapped with quotes... 041234567 vs "041234567" Excel will convert both these to numeric and trim the leading zero. I'm fairly certain that this behavior will be consistent regardless of the source system that generates the CSV, Splunk or anything else. With all that being said, presuming the ultimate goal is to get the CSV to not trim the leading zeros, you have only a few options: 1. Force the data in Splunk to look like an SSN/String by reinserting the dashes as proposed in the SED command above 2. Use the text import wizard of Excel and open the CSV that way. This gives you the option to forcibly specify a column as text in which case the leading zeros will display 3. Apply column formatting in excel to the column to re-display the leading zeros. Simplest option is to highlight the column -> format cells -> special -> social security number Admittedly option #3 is partially flawed in that it will display 041234567 and 41234567 in exactly the same format (041-23-4567) which is arguably bad or wrong as you can't easily tell that the second value is actually a bogus SSN because it only has 8 digits... not 9. If anyone else can find a better solution, or think's I've missed or misstated something above, I'm all ears for a better option. ... View more