Is ModSecurity AddOn for Splunk compatible with 7....

thevena · ‎01-20-2020

We are running Splunk7.3.0.

We have installed:

1 - ModSecurity Add-On for Splunk on both the indexer and search head following the instructions here:
https://splunkbase.splunk.com/app/3391/#/details

2 - The TA-user-agents on both the indexer and search head following the instructions here:
https://splunkbase.splunk.com/app/1843/#/details

3 - The ModSecurity App for Splunk on the search head following the instructions here:
https://splunkbase.splunk.com/app/3392/#/details

Issue:

Searching via the GUI and search app is successful, however there is nothing populated in the ModSecurity app for Splunk.

The compatibility list for 2 of these components list versions prior to 7.3

Any suggestions please?

D2SI · ‎01-21-2020

Hello @thevena :

Is the data is being indexed in the default main index or a dedicated one ? It is a dedicated one, is searchable by default for the considered role ?

App is using Data Model and kind of assume it is being accelerated. Is it the case ?

I suggest opening the search of any panel of the App. You should see something like "| tstats ... summariesonly=true", try to replace true by false and launch the search again. If data appears, it is because Data Model has not been accelerated.

Data Model can be accelerated from Settings > Data Models > Edit Acceleration > Accelerate / Summary Range.

Is ModSecurity AddOn for Splunk compatible with 7.3 yet?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms