Solved: (Beta) Proofpoint Email Security App for Splunk co...

mdsnmss · ‎10-11-2017

This isn't a question but a post to help point out a reason you may not be seeing content in your reports or dashboards using the (Beta) Proofpoint Email Security App for Splunk. It has to do with a macro used at the beginning of each search in order to set the index. You must change the macro to point to the index where your Proofpoint data (pps__log) is.

mdsnmss · ‎10-11-2017

To change the macro open up Settings-->Advanced Search-->Search macros. Go to the app context "Proofpoint Email Security App for Splunk". There is a macro labeled get_pps_index. The macro is set to explicitly point to index=main. Since it is unlikely you are sending all of your Proofpoint data to "main" you should open this macro and change it to the index where your PPS data is sent.

View solution in original post

eckolp2003 · ‎02-01-2018

Have you been able to verify you have data coming in? Can you confirm all the steps you have done so far?

The app setup is fairly well documented here:

https://splunkbase.splunk.com/app/3080/#/details

We need to determine if this is a sourcetype issue or some other problem.

mdsnmss · ‎10-11-2017

To change the macro open up Settings-->Advanced Search-->Search macros. Go to the app context "Proofpoint Email Security App for Splunk". There is a macro labeled get_pps_index. The macro is set to explicitly point to index=main. Since it is unlikely you are sending all of your Proofpoint data to "main" you should open this macro and change it to the index where your PPS data is sent.

eckolp2003 · ‎10-16-2017

Thanks for documenting this for others!

vnguyen46 · ‎02-06-2019

Thank you so much. It's a big help. I have been searching for days to resolve this issue.

jrsanders · ‎02-01-2018

Nevermind. I figured it out. I needed to add the Add-on to my indexer as well.

eckolp2003 · ‎02-01-2018

Could you tell me more about your deployment? Most deployments should not need this installed on an indexer.

jrsanders · ‎02-01-2018

Our deployment consist of One Search Head and One Indexer. Our Proofpoint servers send their logs directly to the indexer.

eckolp2003 · ‎02-01-2018

Ok, that explains why. The TA's should normally go on a heavy forwarder and if you are not using one, they would have to go on your indexer.

jrsanders · ‎02-01-2018

Thank you for the input. Sorry about my earlier comment. I was venting a little.

jrsanders · ‎02-01-2018

I've done that and I'm still not getting data. Plus there is little to no documentation for this app.

(Beta) Proofpoint Email Security App for Splunk content returns no results

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

Join the Conversation