deviansg
commented
1 year ago Thanks for bringing this to our attention. Both this issue and issue #3 should now be fixed if you want to try it out.
Closed ew426 closed 1 year ago
deviansg
commented
1 year ago Thanks for bringing this to our attention. Both this issue and issue #3 should now be fixed if you want to try it out.
ew426
commented
1 year ago Excellent, thank you. I'm not sure what the process is, but that should make its way to SplunkBase as well. That was where I downloaded it originally and it looks like that version hasn't been updated yet. I appreciate the quick response!
There appears to be an additional error in the /default/savedsearches.conf configuration on lines 129 and 130. The fillnull and eval commands are misordered:
| convert auto(suppressUntil) | fillnull value=`default_contact` contact\ | fillnull value=`default_expected_time` lateSecs | eval contact=if(contact="",null(),contact)\This sequence fills null values before setting blank values to null. It seems that should be reversed:| convert auto(suppressUntil) | eval contact=if(contact="",null(),contact) | fillnull value=`default_contact` contact\ | fillnull value=`default_expected_time` lateSecsIt seems that some values in the expectedTime table could have blank, but not null values, resulting in them being written back to null and subsequently never set to auto-fill a default contact. This effectively suppresses those alerts.