All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

(Beta) Proofpoint Email Security App for Splunk content returns no results

mdsnmss
SplunkTrust
SplunkTrust
‎10-11-2017 07:19 AM

This isn't a question but a post to help point out a reason you may not be seeing content in your reports or dashboards using the (Beta) Proofpoint Email Security App for Splunk. It has to do with a macro used at the beginning of each search in order to set the index. You must change the macro to point to the index where your Proofpoint data (pps__log) is.

Reply
1 Solution
Solved! Jump to solution
Solution

mdsnmss
SplunkTrust
SplunkTrust
‎10-11-2017 07:21 AM

To change the macro open up Settings-->Advanced Search-->Search macros. Go to the app context "Proofpoint Email Security App for Splunk". There is a macro labeled get_pps_index. The macro is set to explicitly point to index=main. Since it is unlikely you are sending all of your Proofpoint data to "main" you should open this macro and change it to the index where your PPS data is sent.

View solution in original post

Reply
Solved! Jump to solution

eckolp2003
Path Finder
‎02-01-2018 12:49 PM

Have you been able to verify you have data coming in? Can you confirm all the steps you have done so far?

The app setup is fairly well documented here:

https://splunkbase.splunk.com/app/3080/#/details

We need to determine if this is a sourcetype issue or some other problem.

0 Karma
Reply
Solved! Jump to solution
Solution

mdsnmss
SplunkTrust
SplunkTrust
‎10-11-2017 07:21 AM

To change the macro open up Settings-->Advanced Search-->Search macros. Go to the app context "Proofpoint Email Security App for Splunk". There is a macro labeled get_pps_index. The macro is set to explicitly point to index=main. Since it is unlikely you are sending all of your Proofpoint data to "main" you should open this macro and change it to the index where your PPS data is sent.

Reply
Solved! Jump to solution

eckolp2003
Path Finder
‎10-16-2017 09:47 AM

Thanks for documenting this for others!

0 Karma
Reply
Solved! Jump to solution

vnguyen46
Contributor
‎02-06-2019 07:23 AM

Thank you so much. It's a big help. I have been searching for days to resolve this issue.

0 Karma
Reply
Solved! Jump to solution

jrsanders
Path Finder
‎02-01-2018 01:00 PM

Nevermind. I figured it out. I needed to add the Add-on to my indexer as well.

0 Karma
Reply
Solved! Jump to solution

eckolp2003
Path Finder
‎02-01-2018 01:02 PM

Could you tell me more about your deployment? Most deployments should not need this installed on an indexer.

0 Karma
Reply
Solved! Jump to solution

jrsanders
Path Finder
‎02-01-2018 01:33 PM

Our deployment consist of One Search Head and One Indexer. Our Proofpoint servers send their logs directly to the indexer.

0 Karma
Reply
Solved! Jump to solution

eckolp2003
Path Finder
‎02-01-2018 01:41 PM

Ok, that explains why. The TA's should normally go on a heavy forwarder and if you are not using one, they would have to go on your indexer.

0 Karma
Reply
Solved! Jump to solution

jrsanders
Path Finder
‎02-01-2018 01:43 PM

Thank you for the input. Sorry about my earlier comment. I was venting a little.

0 Karma
Reply
Solved! Jump to solution

jrsanders
Path Finder
‎02-01-2018 12:41 PM

I've done that and I'm still not getting data. Plus there is little to no documentation for this app.

0 Karma
Reply
Get Updates on the Splunk Community!

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

We’re happy to announce the release of Mission Control 2.3 which includes several new and exciting features ...

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7

Python 2.7, the last release of Python 2, reached End of Life back on January 1, 2020. As part of our larger ...

Splunk Observability Cloud | Enhancing Your Onboarding Experience with the ...

We understand that your initial experience with getting data into Splunk Observability Cloud is crucial as it ...