https://community.splunk.com/t5/Getting-Data-In/Why-is-notable-index-empty/m-p/642516#M109499 <P>After installing the Splunk Enterprise Security (ES) app using the splunk-enterprise-security_701.spl file, I noticed that the "Security Posture" dashboard was empty and searching for index=notable returned no results. Upon further investigation, I discovered that there was no inputs.conf file present in the /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/local directory</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <DIV> <DIV> <DIV class="">&nbsp;</DIV> <DIV class="">&nbsp;</DIV> <DIV class="">&nbsp;</DIV> </DIV> </DIV> <DIV> <DIV> <DIV class="">&nbsp;</DIV> <DIV class="">&nbsp;</DIV> <DIV class="">&nbsp;</DIV> </DIV> </DIV> <DIV> <DIV class="">&nbsp;</DIV> </DIV> Mon, 08 May 2023 13:15:37 GMT NeedNotToKnow 2023-05-08T13:15:37Z https://community.splunk.com/t5/Getting-Data-In/Why-is-notable-index-empty/m-p/642516#M109499 <P>After installing the Splunk Enterprise Security (ES) app using the splunk-enterprise-security_701.spl file, I noticed that the "Security Posture" dashboard was empty and searching for index=notable returned no results. Upon further investigation, I discovered that there was no inputs.conf file present in the /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/local directory</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <DIV> <DIV> <DIV class="">&nbsp;</DIV> <DIV class="">&nbsp;</DIV> <DIV class="">&nbsp;</DIV> </DIV> </DIV> <DIV> <DIV> <DIV class="">&nbsp;</DIV> <DIV class="">&nbsp;</DIV> <DIV class="">&nbsp;</DIV> </DIV> </DIV> <DIV> <DIV class="">&nbsp;</DIV> </DIV> Mon, 08 May 2023 13:15:37 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-notable-index-empty/m-p/642516#M109499 NeedNotToKnow 2023-05-08T13:15:37Z https://community.splunk.com/t5/Getting-Data-In/Why-is-notable-index-empty/m-p/642518#M109501 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/256524">@NeedNotToKnow</a>,</P><P>before installing and configuring ES, it's a best practice to check that you're receiving all the data flows of your perimeter and that these data flows are all normalized.</P><P>You can check normalization checking if the Add-Ons you used to ingest logs are all CIM 4.x compliant.</P><P>When you are sure to have all the data flows of your perimeter, you can go in [Configure &gt; Content &gt; Content Management ] and enable the Correlation Searches that you can use with your data flows.</P><P>I hint to make a propedeutic analysis on the Correlation Searches that it's possible to enable with your data; you can do this manually or using the Splunk Security Essentials App (<A href="https://splunkbase.splunk.com/app/3435)" target="_blank">https://splunkbase.splunk.com/app/3435)</A>.</P><P>I hint to search in the YouTube Splunk Channel some videos that describe hot to install and configure ES.</P><P>Ciao.</P><P>Giuseppe</P> Mon, 08 May 2023 10:44:46 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-notable-index-empty/m-p/642518#M109501 gcusello 2023-05-08T10:44:46Z https://community.splunk.com/t5/Getting-Data-In/Why-is-notable-index-empty/m-p/642523#M109506 <P>This didn't help</P><P>Can you give me a video to configure ES?</P><P>And why I didn't have inputs.conf?</P><DIV><DIV><DIV class="">&nbsp;</DIV><DIV class="">&nbsp;</DIV><DIV class="">&nbsp;</DIV></DIV></DIV> Mon, 08 May 2023 11:37:54 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-notable-index-empty/m-p/642523#M109506 NeedNotToKnow 2023-05-08T11:37:54Z https://community.splunk.com/t5/Getting-Data-In/Why-is-notable-index-empty/m-p/642527#M109507 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/256524">@NeedNotToKnow</a>,</P><P>you don't have inputs.conf because this file is usually on the forwarders that ingest data flows, not on the ES server.</P><P>About ES configuring, it isn't so immediate, and I hint to follow a training, otherwise it will very hard!</P><P>Anyway, here you can find some documentatin and tutorials:</P><P><A href="https://lantern.splunk.com/Security/Getting_Started/Configuring_and_optimizing_Enterprise_Security" target="_blank">https://lantern.splunk.com/Security/Getting_Started/Configuring_and_optimizing_Enterprise_Security</A></P><P><A href="https://www.youtube.com/watch?v=YMtJjoVk4q0" target="_blank">https://www.youtube.com/watch?v=YMtJjoVk4q0</A></P><P><A href="https://www.youtube.com/watch?v=IA2QwdpCm74" target="_blank">https://www.youtube.com/watch?v=IA2QwdpCm74</A></P><P><A href="https://www.youtube.com/watch?v=QdM6JvnYu7g" target="_blank">https://www.youtube.com/watch?v=QdM6JvnYu7g</A></P><P><A href="https://www.youtube.com/results?search_query=splunk+enterprise+security" target="_blank">https://www.youtube.com/results?search_query=splunk+enterprise+security</A></P><P>Ciao.</P><P>Giuseppe</P> Mon, 08 May 2023 12:09:26 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-notable-index-empty/m-p/642527#M109507 gcusello 2023-05-08T12:09:26Z https://community.splunk.com/t5/Getting-Data-In/Why-is-notable-index-empty/m-p/642534#M109510 <P><STRONG>I can’t solve the problem</STRONG></P><P><STRONG>index = notable </STRONG></P><P><STRONG>is empty..</STRONG></P> Mon, 08 May 2023 13:41:36 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-notable-index-empty/m-p/642534#M109510 NeedNotToKnow 2023-05-08T13:41:36Z https://community.splunk.com/t5/Getting-Data-In/Why-is-notable-index-empty/m-p/642538#M109512 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/256524">@NeedNotToKnow</a>,</P><P>check if you have events in Data Models and if you activated some Correlation Search.</P><P>Notable index receive events from the CSs, if you don't enable them and they don't trigger alerts, you'll not have notables.</P><P>I cannot hint a CS to start because they depends on the data you have.</P><P>As I said, install the Security Essentials App to see which CS are possible to enable.</P><P>Ciao.</P><P>Giuseppe</P> Mon, 08 May 2023 13:53:49 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-notable-index-empty/m-p/642538#M109512 gcusello 2023-05-08T13:53:49Z https://community.splunk.com/t5/Getting-Data-In/Why-is-notable-index-empty/m-p/643015#M109586 <P>Sorry I bothered you many times</P><P>Notable get its events from correlation searches ok?</P><P>But when I install SPLUNK ES there are many prebuilt CSs</P><P>So my task just go and enable them, right?</P><P>But these correlation searches run on what index?</P><P>For example, if I have two indexes firewall-1 &amp; firewall-2</P><P>Is it by default will run these CSs on both of indexes?</P><P>Or should I manually edit it? If yes, How?</P><P>Did you get me? Sorry for bothering</P><DIV><DIV><DIV class="">&nbsp;</DIV><DIV class="">&nbsp;</DIV><DIV class="">&nbsp;</DIV></DIV></DIV> Thu, 11 May 2023 11:03:36 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-notable-index-empty/m-p/643015#M109586 NeedNotToKnow 2023-05-11T11:03:36Z