All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Proofpoint Email Security Add-On: Issues with dashboard population and extractions

adalbor
Builder
‎06-03-2019 08:19 AM

Hey All,
I have installed the Proofpoint Email Security Add-On for Splunk (TA) on my Universal Forwarder's that collect the Syslog from Proofpoint.
I have also installed the Proofpoint Email Security Add-On for Splunk (TA) on my Search Head Cluster and installed the Proofpoint Email Security App for Splunk (App) on my search head cluster.

All of the dashboards are not populating in the app. I did some investigation and noticed the search macro for the app was setup to point to the wrong index. I modified the search macro to point to the right index where our logs are stored (index=proofpoint).
I verified the search macro returns results without the sourcetype

Need some assistance in figuring out why the app isn't actually extracting the sourcetypes from the pps_log sourcetype
See below from the app page:

Verification

PPS filter and mail logs are collected by the source type "pps_log" and are mapped to sourcetypes pps_filter_log and pps_mail_log. In the search box you can verify the logs by search for sourcetype="pps_filter_log" and "sourcetype="pps_mail_log
I don't see any other sourcetype than pps_log.

It appears the transforms does have the correct regex as I tested it against some log entries but it's not actually creating the other sourcetypes.

Does anyone have any recommendations?

Thanks!
Andrew

Reply
1 Solution
Solved! Jump to solution
Solution

adalbor
Builder
‎06-04-2019 05:38 AM

I found the issue all, after talking with support they suggested it be installed on the indexers due to the props and transforms.

This resolved the issue instantly and the dashboards started populating right away.

View solution in original post

Reply
Solved! Jump to solution
Solution

adalbor
Builder
‎06-04-2019 05:38 AM

I found the issue all, after talking with support they suggested it be installed on the indexers due to the props and transforms.

This resolved the issue instantly and the dashboards started populating right away.

Reply
Get Updates on the Splunk Community!

Archived Metrics Now Available for APAC and EMEA realms

We’re excited to announce the launch of Archived Metrics in Splunk Infrastructure Monitoring for our customers ...

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Dashboard Challenge and Watch the .conf24 Global Broadcast!

The Splunk Community Dashboard Challenge is still happening, and it's not too late to enter for the week of ...