Re: Linux Auditd: Predict command error

jm255 · ‎06-13-2019

I am trying to use the auditd app for Splunk and one of the errors that are thrown is "command="predict", data is not periodic" when trying to generate the Anomalous Event Volume portion of the Security Operations Center dashboard.
Does anyone have any solutions for this?

doksu · ‎06-26-2019

Hi @jm255,

Are you still receiving this error? It sounds like either the app hasn't yet been configured [correctly] or sufficient auditd events haven't yet been ingested. To confirm that to be the case, please run this search back 24hrs: [|inputlookup auditd_indices] [|inputlookup auditd_sourcetypes]

If the search above doesn't return events, please ensure you've completed the installation configuration: https://github.com/doksu/splunk_auditd/wiki/Installation-and-Configuration

Arjan · ‎04-12-2022

Hi doksu, I installed your app auditd but the searches fail. This search |inputlookup auditd_indices and | inputlookup auditd_sourcetypes are working correctly but [|inputlookup auditd_sourcetypes] search is not returning any result. And the data is in the right index and sourcetype. Do you know how I can fix this?

How to Linux Auditd: Predict command error

other

Index This | I’m short for "configuration file.” What am I?

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Your Guide to SPL2 at .conf24!