I'm trying to use the Smart Outlier Detection use case in MLTK, but after entering the query I don't get the option to move into the "Learn" stage.  Here is my query: `Internal Macro` earliest=-60m (action="deny" OR action="blocked") |bin _time span=1m | stats count as event_count by _time I think this is the same as a previous time I did the query, which did end up going to the "Learn" stage. It ended up throwing an error stating that dependencies were required the last time. The admin has stated they installed the missing dependencies so it should be working.  Now, it's not even going past the "Define" stage and it's not giving any error messages so either there's something wrong with my query or the app has an issue still. I'd appreciate any help in this matter. ... View more

The following search works well, but I'm not able to get it to occur for daily results with each day getting a row in the results.  How can I get it to provide daily results? index=cdb_summary source=CDM_*_Daily_Summary sourcetype=vuln_summary OR (sourcetype=assetmanager_summary devicetype!=npvw [| inputlookup IT_Systems where Status="Operational" OR Status="Modification" | fields fismaid] ) fismaid=*  | fields asset_id,hostname,ipaddress,ec2_instance_id,devicetype,os,everSeenBy,firstSeen,lastScan,last_scan_attempt_scandate,last_scan_attempt_credentialed,Credentialed_Scan,lastSeen,fismaid,CriticalCount,HighCount,Criticals,Highs,TotalAssetScore ,AuthenticationRequired,CriticalAssetScore,HighAssetScore | stats values(*) as * by asset_id | eval elast=strptime(lastSeen,"%Y-%m-%d %H:%M:%S") | where elast>=relative_time(now(),"@mon") | eval AutoFail=if(AuthenticationRequired=="1" AND (Credentialed_Scan=="false" OR isnull(Credentialed_Scan)),1,0) | eval CriticalPoints=CriticalCount*12, HighPoints=HighCount*4 | eval CriticalPoints=if(CriticalPoints>60,60,CriticalPoints), HighPoints=if(HighPoints>40,40,HighPoints) | eval PointsLost=CriticalPoints + HighPoints | eventstats sum(PointsLost) as TotalPointsLost,sum(TotalAssetScore) as TotalScore, dc(asset_id) as TotalAssets, sum(AutoFail) as AutoFailTotal, count(eval(isnull(Credentialed_Scan))) as MissingScans | eval Percent_to_AutoFails=round(AutoFailTotal/TotalAssets*100) | eval Percent_MissingScans=round(MissingScans/TotalAssets*100) | eval Percent_PointsLost=round(TotalPointsLost/TotalAssets) | eval VULN_Score= round(TotalScore/TotalAssets) | lookup IT_Systems fismaid output Title , hva | replace 1 with "True", 0 with "False" in hva | rename hva as "High Value Assets" | table VULN_Score, Percent_MissingScans,TotalAssets,Percent_PointsLost | stats values(*) as *   I tried adding | bin and by bucket to get the below search, which returns zero results, but does match on events.     index=cdb_summary source=CDM_*_Daily_Summary sourcetype=vuln_summary OR (sourcetype=assetmanager_summary devicetype!=npvw [| inputlookup IT_Systems where Status="Operational" OR Status="Modification" | fields fismaid] ) fismaid=* | bin span=1d _time | fields asset_id,hostname,ipaddress,ec2_instance_id,devicetype,os,everSeenBy,firstSeen,lastScan,last_scan_attempt_scandate,last_scan_attempt_credentialed,Credentialed_Scan,lastSeen,fismaid,CriticalCount,HighCount,Criticals,Highs,TotalAssetScore ,AuthenticationRequired,CriticalAssetScore,HighAssetScore | stats values(*) as * by asset_id by _time | eval elast=strptime(lastSeen,"%Y-%m-%d %H:%M:%S") | where elast>=relative_time(now(),"@mon") | eval AutoFail=if(AuthenticationRequired=="1" AND (Credentialed_Scan=="false" OR isnull(Credentialed_Scan)),1,0) | eval CriticalPoints=CriticalCount*12, HighPoints=HighCount*4 | eval CriticalPoints=if(CriticalPoints>60,60,CriticalPoints), HighPoints=if(HighPoints>40,40,HighPoints) | eval PointsLost=CriticalPoints + HighPoints | eventstats sum(PointsLost) as TotalPointsLost,sum(TotalAssetScore) as TotalScore, dc(asset_id) as TotalAssets, sum(AutoFail) as AutoFailTotal, count(eval(isnull(Credentialed_Scan))) as MissingScans | eval Percent_to_AutoFails=round(AutoFailTotal/TotalAssets*100) | eval Percent_MissingScans=round(MissingScans/TotalAssets*100) | eval Percent_PointsLost=round(TotalPointsLost/TotalAssets) | eval VULN_Score= round(TotalScore/TotalAssets) | lookup IT_Systems fismaid output Title , hva | replace 1 with "True", 0 with "False" in hva | rename hva as "High Value Assets" | table VULN_Score, Percent_MissingScans,TotalAssets,Percent_PointsLost | stats values(*) as * ... View more

Here is the search I'm running: index=cdb_summary source=CDM_*_Daily_Summary fismaid=* sourcetype=swam_summary OR sourcetype=hwam_summary | stats sum(TotalManaged) as TotalApplicable,count(eval(AutoFail=="False")) as GoodAssets , sum(NotScanned) as NotScanned,values(FailedCPE) as FailedCPEs, count(FailedCPE) as FailedCPE | eval SWAM_Score=round((TotalApplicable-NotScanned-FailedCPE)/TotalApplicable*100)   I'd like to get results from each day within a given timeframe to use for the ML Toolkit.  I've tried timewrap, but it returns no results. How can I get a search to run this query for each day in a given timeframe? ... View more