In an environment in which a Splunk data source has been integrated with Information Centric Analytics (ICA), the number of risk model instances generated each day has declined despite the number of events in Splunk remaining constant.

Release : 6.x

Component : Splunk Import Utility

The schedule of the Splunk data source query has been adjusted to run each day prior to the time Splunk's internal job runs to gather source system events, creating a delay of up to a day between when Splunk ingests an event and when ICA pulls the event during staging.

Adjust the data source query's schedule to run soon after Splunk's internal job completes.