Dashboards & Visualizations

Splunk for OSSEC Dashboard : No results found.

nickbijmoer
Path Finder

Hello guys,

A few days ago the default dashboard of OSSEC in splunk worked fine, but I had to clean up some space so I deleted some data logs and now when I open the default dashboard it says: No results found.
So I dont know why, but I dont get data anymore and I tought I didnt change anything...
Can some1 help me? If you have questions please ask 🙂

0 Karma
1 Solution

DEAD_BEEF
Builder

I'm not sure if there's an option to set all fields to default again. I honestly think the easiest thing will be to just manually check each field. They are case-sensitive, so I'd be sure to check them very carefully! Sounds like a field prob. got renamed so the query isn't working. Let me know how this comes along.

View solution in original post

DEAD_BEEF
Builder

I'm not sure if there's an option to set all fields to default again. I honestly think the easiest thing will be to just manually check each field. They are case-sensitive, so I'd be sure to check them very carefully! Sounds like a field prob. got renamed so the query isn't working. Let me know how this comes along.

View solution in original post

nickbijmoer
Path Finder

They were just gone apparently, I added them again and now its working 🙂

0 Karma

DEAD_BEEF
Builder

Some of the fields themselves were gone? As in, no logs contained data for such a named field? That is really odd. How did you add it again to fix it? Just so others know as well in the future 🙂

0 Karma

nickbijmoer
Path Finder

Yeah I just manually extracted the fields again 🙂

0 Karma

DEAD_BEEF
Builder

Have you checked the underlying query generating the dashboards to see if a field was renamed or now has no data/results?

0 Karma

nickbijmoer
Path Finder

Yeah I checked it, It gives no data if I search with that query, but the data that he used before is still in SPLUNK so I might have a field that renamed indeed or something like that... Is there an option to set all fields to default again or reset all fields?

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.