Hello! I have deployed Splunk Stream v7.1.3 and configured to collect Splunk_SSLActivity.
Events are coming through but the SSL Activity Informational Dashboards do not work.
Other dashboards/events are fine (e.g. HTTP, DNS), but when I look at the Splunk_SSLActivity data there is no common name/domain name.
I do have a field "ssl_subject" which sometimes contains CN = *.site.com OR CN = SplunkDefaultCert. In some events there is just "CN":
C = US, postalCode = 90000, ST = California, L = Newport, street = 1 PCH, O = Splunk, OU = Information Security, OU = Issued through Splunk, OU = InstantSSL Pro, CN
It looks like the app is expecting a field which isn't extracted, although both TA and App is installed (this is SplunkCloud) and the data is forwarded directly from Win and Linux hosts UF -> SplunkCloud.
I'm not sure if I can totally trust the data and while I can extract the field to match dashboard I am more concerned about WHY it's not working.
Any tips would be greatly appreciated!!
Thanks