I installed version 1.6.0 of the app (fresh install, not upgrade) on Splunk Enterprise 7,1. It's a distributed environment and the app has been installed on both the indexers and search head. Data is showing in most of the app's dashboards as expected, after updating the searches with index=. However, any dashboards looking for cef headers are not returning results. For example, the Integrity Monitoring Activity dashboard provides no results with the following search:
search (index=deep_security sourcetype=deepsecurity-integrity_monitoring) | top limit=5 cef_rulename | rename cef_rulename as "Event Name", count as "Event Count", percent as "Percent of Total"
I do get results if I search just (index=deep_security sourcetype=deepsecurity-integrity_monitoring), but cef_rulename is not listed as a field in the search results. There are no cef_* fields listed. I expect [deepsecurity-cefheaders] section of the app's transforms.conf is supposed to extract those cef headers as fields, but I'm not sure. Is there something I'm missing? Or any suggestion on how to fix this?
Thanks,
Chris
... View more