Solved: S[;unk Enterprise Security: Data that is indexed f...

miked531 · ‎12-05-2017

Among other things, I have the Enterprise Security and Splunk_TA_ipfix apps installed and am successfully indexing IPFIX data (into the index named "ipfix"). From the search app, when I dump the index with the search command: "index=ipfix" I can see the data and the interesting fields are parsed out like I expect. When I do the same search in the Enteprise Sec app, the events show but none of the fields show on the left side. I'll guess this is a permissions issue, but looked at all of the places I could think of and everything looks like I think it should.

Can somebody explain what I'm missing to make this work?

miked531 · ‎12-05-2017

I'll answer my own question...

I missed doing a necessary splunk restart. Once I did that, it worked as expected.

View solution in original post

miked531 · ‎12-05-2017

I'll answer my own question...

I missed doing a necessary splunk restart. Once I did that, it worked as expected.

niketn · ‎12-06-2017

@miked531, sometimes these small misses eat our head. I am glad you found your answer. Please go ahead and mark Accept this as answered.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

S[;unk Enterprise Security: Data that is indexed from the Splunk Add-on for IPFIX none of the fields show in the Splunk Enterprise Security app

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life