Hi,
We are using Linux Auditd App to monitor and track all Audit events. One of the panels for "Anomalous Event Volume" works correctly on the Indexer(Currently on older version of 6.3.2) but shows "N/A" on the Search Head(Version 6.4.0). After doing some testing, it looks like the "predict" command being used is giving slightly different results in the latest version as compared to 6.3.2., which appears to be breaking the search. Here are the details:
Ran the following search on both Indexer and the SH
| tstats count WHERE [|inputlookup auditd_indicies] [|inputlookup auditd_sourcetypes] BY _time span=1h | predict count as prediction upper95=upper lower95=lower future_timespan=0
On Indexer(Version 6.3.2)
![alt text][1]
On Search Head(Version 6.4.0)
![alt text][2]
On the Search Head, the command adds "prediction" for both lower and upper column, which in turn breaks the subsequent eval function for range as it is still expecting columns "lower" and "upper". Here is the complete command used for this panel:
| tstats count WHERE [|inputlookup auditd_indicies] [|inputlookup auditd_sourcetypes] BY _time span=1h | predict count as prediction upper95=upper lower95=lower future_timespan=0 | eval range=upper-lower | eval difference=case(count>lower AND countupper, round((count-upper)/range,1)) | search difference=* | table _time difference
Why is it appending text `(prediction)` after the columns and is this what's causing the query to fail?
Thanks,
~ Abhi
[1]: /storage/temp/141172-indexer-predict.png
[2]: /storage/temp/141173-sh-predict.png
↧