We are running Splunk7.3.0.
We have installed:
1 - ModSecurity Add-On for Splunk on both the indexer and search head following the instructions here:
https://splunkbase.splunk.com/app/3391/#/details
2 - The TA-user-agents on both the indexer and search head following the instructions here:
https://splunkbase.splunk.com/app/1843/#/details
3 - The ModSecurity App for Splunk on the search head following the instructions here:
https://splunkbase.splunk.com/app/3392/#/details
Issue:
Searching via the GUI and search app is successful, however there is nothing populated in the ModSecurity app for Splunk.
The compatibility list for 2 of these components list versions prior to 7.3
Any suggestions please?
Hello @thevena :
Is the data is being indexed in the default main index or a dedicated one ? It is a dedicated one, is searchable by default for the considered role ?
App is using Data Model and kind of assume it is being accelerated. Is it the case ?
I suggest opening the search of any panel of the App. You should see something like "| tstats ... summariesonly=true", try to replace true by false and launch the search again. If data appears, it is because Data Model has not been accelerated.
Data Model can be accelerated from Settings > Data Models > Edit Acceleration > Accelerate / Summary Range.