Sorry for getting back to you late. Since the last post a new version of the app (1.0.7) was launched, try installing that and then look for any errors in the Splunkd log? A feature of the TA is that it will pull data from your eventhub partition if there is anything 'new' written to it . So if your instance is off or restarting there will be a gap in your input (This is assuming that the eventhub is constantly written to). Conversely if the event hub is not busy, there will be no data in your index as the app can only pull in whats recent. This is my understanding so far... ... View more

What version of Splunk are you planning on installing? There are some general things like you mentioned ulimits, tph, create splunk account etc. ... View more

If the question is about how to make the search efficient, follow best practices on adding filters as early as possible (e.g define your index,st,source etc). Using fields and then stats to reduce the amount of unnecessary fields also helps. If you know that the value of your FQDN host will be hostname.domain.com you can try incorporating NOT TERM(hostname.domain.com) in your search as well. This does not always increase your search efficiency and really depends on the scenario. ... View more

Are you working on an all-in-one Splunk instance or a distributed environment? I would also check my inputs.conf to see if a host=127.0.0.1 parameter was also defined for the path you want to monitor. ... View more

Would need more information on what sort of monitoring is setup from your domain controllers... I can break this down to two issues: 1) Passwords resets: Assuming you are onboarding windows security logs, have you looked at Windows Event ID 4724/4723 for passwords reset? https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4724 2) Accounts expired or near expiration: Assuming you are onboarding windows security events, there should be an 'Account Expires' field for a user related event, that you can try creating some analytics around. ... View more

Have you checked your default index? I was able to get data from multiple partition For troubleshooting I would suggest looking at the inputs.conf in default and what you have in local to see if any parameter is not defined and try changing the partition #... Its a new app so I would start troubleshooting it as I would start with any other app by checking my configs. ... View more

I wrote something related a while ago: https://discoveredintelligence.ca/predict-spam-using-classification/ Used spl to add row_total and column_totals to count all the data points easily: | `confusionmatrix(...,"predicted..")") | addtotals labelfield="Predicted actual" | rename Total as "row_total" | addcoltotals label="col_total" labelfield="Predicted actual" Before answering any of the questions what do the categorical fields look like? Any spaces/ trailing characters/different formatting that may be causing an issue? ... View more