splash board shows nothing
WHEN I SEARCH index=summary "alienvault_dest_ip_count=*"
RETURN 01/13/2019 16:12:00 +0800, search_name="Obelisk - Populate Summary Index 1", search_now=1547381520.000, info_min_time=1547367120.000, info_max_time=1547381520.000, info_search_time=1547381521.487, alienvault_dest_ip_count=0
IS THERE SOMTHING got wrong?
I am trying to get this app going as well without success. I have the obelisk app on my Search Head Cluster and the Obelisk add-on on my Heavy Forwarder but I get the same as you.
01/18/2019 04:12:00 -0700, search_name="Obelisk - Populate Summary Index 1", search_now=1547824320.000, info_min_time=1547809920.000, info_max_time=1547824320.000, info_search_time=1547824323.274, alienvault_dest_ip_count=0
01/18/2019 00:12:00 -0700, search_name="Obelisk - Populate Summary Index 1", search_now=1547809920.000, info_min_time=1547795520.000, info_max_time=1547809920.000, info_search_time=1547809924.409, alienvault_dest_ip_count=0
The logs directory on HF show the scripts are working properly too.
I was getting errors on the HF due to the addon. I had to modify inputs.conf for the monitored files to something like this: [monitor://c:\progra~1\splunk\etc\apps\TA_obelisk-threat\logs\obelisk_talos_intel*]
I kept getting syntax error and until I modified all of these monitored files with the above format did I get data coming into the indexer.
Now I must wait for the summary indexes to complete.
Any luck with getting everything working?