https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-ESS-index-does-not-have-any-data/m-p/392532#M4260 <P>Many indexes are populated only after correlation searches are enabled. Enable the correlation searches that make sense for your security use cases, and you'll start to see data in those related indexes, such as the notable index or the threat_activity index. </P> Tue, 13 Nov 2018 19:36:30 GMT smoir_splunk 2018-11-13T19:36:30Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-ESS-index-does-not-have-any-data/m-p/392531#M4259 <P>Hi all,</P> <P>I am new to splunk. I have installed splunk ESS(5.2) on search head. Splunk environment has one search head and three search peers(indexers). After installing the ESS on search head, I am not able to see any data for the indexes created from ESS like whois, threat_activity. Am I missing anything? Do I require any special configuration on search peers or heavy forwarders?</P> <P>Thanks,</P> Tue, 13 Nov 2018 19:04:38 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-ESS-index-does-not-have-any-data/m-p/392531#M4259 graju89 2018-11-13T19:04:38Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-ESS-index-does-not-have-any-data/m-p/392532#M4260 <P>Many indexes are populated only after correlation searches are enabled. Enable the correlation searches that make sense for your security use cases, and you'll start to see data in those related indexes, such as the notable index or the threat_activity index. </P> Tue, 13 Nov 2018 19:36:30 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-ESS-index-does-not-have-any-data/m-p/392532#M4260 smoir_splunk 2018-11-13T19:36:30Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-ESS-index-does-not-have-any-data/m-p/392533#M4261 <P>Correlation search is enabled already. Do I need to install any add-ons on the search peers?</P> Tue, 13 Nov 2018 19:41:28 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-ESS-index-does-not-have-any-data/m-p/392533#M4261 graju89 2018-11-13T19:41:28Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-ESS-index-does-not-have-any-data/m-p/392534#M4262 <P>ES is made up of add-ons, and if those are not present on the search peers then yes, you will need to distribute them accordingly. These steps are documented: <A href="https://docs.splunk.com/Documentation/ES/5.2.0/Install/InstallTechnologyAdd-ons">https://docs.splunk.com/Documentation/ES/5.2.0/Install/InstallTechnologyAdd-ons</A></P> Tue, 13 Nov 2018 19:43:28 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-ESS-index-does-not-have-any-data/m-p/392534#M4262 smoir_splunk 2018-11-13T19:43:28Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-ESS-index-does-not-have-any-data/m-p/392535#M4263 <P>Ok. I saw the link already. I will update once I am done.</P> Tue, 13 Nov 2018 19:48:31 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-ESS-index-does-not-have-any-data/m-p/392535#M4263 graju89 2018-11-13T19:48:31Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-ESS-index-does-not-have-any-data/m-p/392536#M4264 <P>@smoir_splunk I installed the add-ons but still no luck.</P> Tue, 13 Nov 2018 21:04:25 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-ESS-index-does-not-have-any-data/m-p/392536#M4264 graju89 2018-11-13T21:04:25Z