Did you ever get an answer to this? I have the same errors. ... View more

I had this issue with 1.0.3 as well. I contacted MS Support and was told: For sign-ins to Azure services, we expect latency of up to 5 minutes. From the o365 side, they allow latency of up to 24 hours, but say delays should be considerably shorter. Basically, Signin logs aren't available via API in chronological order, but the Signin Time is accurate. So you may get: Event 1 Event 4 Event 2 Event 3 Because the app uses the checkpoint time of the newest event, you'd lose Events 2 and 3 in this scenario if the scripted input ran between Event 4 being available via API and Event 3 being available. What I did was update the python code to search from the checkpoint date/time to 10 minutes ago. This means that my log data is always 10 minutes behind, but I can live with that. FYI - I also noticed a bug where the graph URL is using ge (greater than or equal to) instead of gt (greater than). This caused the newest event from each run to be duplicated. If you had several runs with no new data, that event could get duplicated many times. My updated portion of the python script is as follows: # Added by George to account for events not being made available via API in chronological order # toDateTime = (datetime.datetime.utcnow() - datetime.timedelta(minutes=10)).strftime('%Y-%m-%dT%H:%M:%SZ') url = "https://graph.microsoft.com/beta/auditLogs/signIns?$orderby=createdDateTime&$filter=createdDateTime+gt+%s+and+createdDateTime+lt+%s" % (query_date, toDateTime) #url = "https://graph.microsoft.com/beta/auditLogs/signIns?$orderby=createdDateTime&$filter=createdDateTime+ge+%s" % query_date # # Done with George Additions I did not notice missing audit events with 1.0.3, but I'll be validating that data this week since I just upgraded the App to 1.1.0. ... View more

I know that this is an older post, but did you restart Splunk after installing the app? I installed this app today and had the same behavior as you until I restarted Splunk. ... View more

FYI - A new version of the App and TA (version 2.4) are available on Splunkbase. We updated to this version is all seems to be working now. ... View more

Thanks for the reply. Unfortunately neither of these solutions work for me. 😞 1- We don't want to deploy a Windows Heaver Forwarder 2 - We can't hard code the password as we have two different Isilon clusters with different passwords. I did confirm that when I put the username and password of one of them in, it did get data. FYI - I've contacted Crest (the developer of the App and Add-On) and they have responded with this: Isilon APIs have changed and we are working with Dell EMC team to refresh the Splunk app to support the new API. The expected delivery date is in first week of Septemeber. We will upload the app on Splunkbase as soon as it is ready. ... View more

Did you ever find a solution for this? We started seeing the same errors after upgrading our Isilon from OneFS 8.0.0.4 to 8.0.0.6. All was working fine prior to the upgrade. ... View more

FYI - We traced the macro back to the actual search string and the below returns data: | tstats latest("Microsoft_Exchange_Health.componentValue") AS ComponentValue values("Microsoft_Exchange_Health.componentInstance") AS ComponentInstances from datamodel=Microsoft_Exchange where (nodename = Microsoft_Exchange_Health) groupby "Microsoft_Exchange_Health.componentId", "Microsoft_Exchange_Health.tag", host _time span=1m summariesonly=true | rename "Microsoft_Exchange_Health.componentId" AS ComponentId "Microsoft_Exchange_Health.tag" AS ServiceTag | eval Host = lower(host) | search * ServiceTag="ms_ex_health_*" | appendpipe [ | fields _time | dedup _time | rename _time as time | map [ | inputlookup state_store_cfw_combined_hosts_services_components | search * ServiceTag="ms_ex_health_*" | eval _time=_time | fields _time, ComponentId, Host, ServiceTag ] maxsearches=50000 ] | stats latest(ComponentValue) AS ComponentValue, values(ComponentInstances) AS ComponentInstances by ComponentId, Host, ServiceTag _time The below does not: | tstats latest("Microsoft_Exchange_Health.componentValue") AS ComponentValue values("Microsoft_Exchange_Health.componentInstance") AS ComponentInstances from datamodel=Microsoft_Exchange where (nodename = Microsoft_Exchange_Health) groupby "Microsoft_Exchange_Health.componentId", "Microsoft_Exchange_Health.tag", host _time span=1m summariesonly=true | rename "Microsoft_Exchange_Health.componentId" AS ComponentId "Microsoft_Exchange_Health.tag" AS ServiceTag | eval Host = lower(host) | search * ServiceTag="ms_ex_health_*" | appendpipe [ | fields _time | dedup _time | rename _time as time | map [ | inputlookup state_store_cfw_combined_hosts_services_components | search * ServiceTag="ms_ex_health_*" | eval _time=_time | fields _time, ComponentId, Host, ServiceTag ] maxsearches=50000 ] | stats latest(ComponentValue) AS ComponentValue, values(ComponentInstances) AS ComponentInstances by ComponentId, Host, ServiceTag _time | `cfw-component-info-lookup` The Data Model appears to be good, but the lookups are empty. ... View more

I had this same problem today. A work-around for me is to click on the map and then use the Alt- to move the map around in the panel. ... View more

I have this problem with Chrome. If you click on the map and then use Alt-, it will move the map around. ... View more

@Simon - This is VERY helpful. Thank You! ... View more

For anyone interested, I wound up creating a scheduled search on my DHCPACK events that triggers a PowerShell script that updates a csv file. that csv file was used for another lookup to add a name field based on IP. I then used that to create another automatic lookup (be careful of naming as automatic lookups happen in order of name alphabetically) that ran before the automatic lookup that adds fields for device info based on name. All in all, I like this solution better as I'm not constantly looking up the same IPs via nslookup. ... View more

Thank you! I was able to get around it by creating an automatic lookup using dnslookup, but the results were a little sporadic (some events for the same IP would have the device_owner and device_model fields and others wouldn't). I think I'm going to create another lookup table that gets updated via script triggered by DHCPACK events to keep a lookup table of internal IPs to hostnames. ... View more