Actually, it may be that something is wrong with your CIM Validator. Even if I try to search a non-existent index, it still populates the counters at the top and has rows of "no extracted values found"
Which version of Cim Validator are you using? Perhaps you could try backing up the current cim validator app, then re-installing it.
It sounds like you are doing everything right. I freshly installed the CIM Validator v 1.8.2 on Splunk Enterprise v9.2.0 with the Splunk CIM app v5.3.1, then without configuring any of these apps I entered "index=_internal" into the search bar of the CIM Validator app dashboard and then I could see results.
It is very strange that you are able to retrieve logs from regular Splunk searches, but then get no results when you copy the search query into the CIM Validator and set the time range to be equivalent.
At the very bottom of the CIM Validator dashboard, there is a table labeled "Events". You can click the magnifying glass on this table and it will open a search containing your search query followed by "| head 10000". As this is a very straightforward search, you should be able to see events in this table once you enter them into the "Search" input of the CIM dashboard.
Thanks for replying Marnall.
It is indeed very strange that the CIM Validator does not return any results. Especially since as you mentioned, at the bottom of the page there is a table labelled "Events" that does return results.
I do not recall if this issue was present last week, but trying to click on the "Search type" drop down menu and clicking on "datamodel" no longer saves that selection. It is permanently stuck on "_raw".
Clicking on all the magnifying glasses of each search, the results are almost always the same:
- "Total fields" always returns a count of zero.
- The rest all return the data model that I have selected.
I've added several screenshots to showing what I see. I hope there will be more suggestions for troubleshooting.
