Hi, I am trying to make f5 ASM and Splunk enterprise ver 7 work together. I have installed the "Splunk for F5 Security" app and I see the asm logs been indexed under it. But when I go to check the inbuilt reports from the App under Application Security manager > Web application stats OR security events stats OR any other report.. they are all blank! Saying " no results found". Any idea why this is happening?
thnx
can be couple of things:
1. indexes read by default - if the searches that power the dashboards do not specify index=some_index
and your user's role is not set up to search those indexes by default, you will see 'no results ...
verbose` mode on the f5 data and see that all fields are extracted and sourcetypes are assigned.
2. sourcetype assignment is off / not working and therefor fields are not extracted correctly etc. try to run a search in
hope it helps