Splunk app for infrastructure is not showing entit...

carlosmacario · ‎10-18-2019

I have Installed Splunk App For Infrastructure and Splunk add-on for infrastructure.
I have configured the HEC 8088 and the Receiving Port 9997.
I have installed a Linux Client with the script.
I made troubleshooting.
In Splunk Enterprise im looking metrics arriving from that customers

I Dont See New Entities Connected!!

😞

woodcock · ‎10-20-2019

You need to specify ALL of the details and the configuration files and the contents of them. This is a complex pipeline and you've hardly told us anything.

gcusello · ‎10-19-2019

Hi carlosmacario,
check if in the eventtypes there are indexes: usually in these apps there isn't the flter for indexes.
you can check this opening in search one panel and adding the filter index=your_index

To solve this problem, you could choose between two solutions:

put the indexes in the default search path [ Settings -- Access Controls -- Roles -- -- Indexes];
create an eventtype with index=your_index and put this eventtype in each eventtype or macro of your App.

I prefer the second though it requests more work, because it's more clear and more performant.

Ciao.
Giuseppe

Splunk app for infrastructure is not showing entities and im receving events, i did all te troubleshooting task!! Help!!

Platform Newsletter Highlights | March 2023

Enterprise Security Content Updates (ESCU) - New Releases

Thought Leaders are Validating Your Hard Work and Training Rigor