Splunk Enterprise Security

Why are the dashboards not displaying any data in the Enterprise Security app?

mcxrisley08
Path Finder

So I recently had to nuke the search head that our Enterprise Security app was running on. I have reinstalled everything and setup search peers but I am having trouble getting any of the dashboards to display any data. Any help with this would be appreciated.

0 Karma

tiagofbmm
Influencer

The data in the ES dashboards is retrieved from the DataModels residing in your indexers.

The first thing to test is if you can search anything from ma data model, like *| from datamodel:. *. Let me know if you have results for any of the datamodels you are using

0 Karma

mcxrisley08
Path Finder

I get nothing when running that string in search.

0 Karma

tiagofbmm
Influencer

Are you specifiying one data model?

Like | from datamodel:"Network_Traffic"."All_Traffic"

0 Karma

alemarzu
Motivator

I believe it is like this

| datamodel Authentication search | table Authentication.*
0 Karma

mcxrisley08
Path Finder

Ok, That search returns a ton of results. I have made some progress and have got my identities and assets lists created in ES. Some of the issues I'm having now are:

1. The two lists do not share a common value, so I'm not sure how to merge or if they can even merged

2. When I run a search Asset/Identity Investigator, It returns a lot of bogus PII events. I do have the demo data disabled, So I'm not sure why these events are being labeled as such.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...