Dashboards & Visualizations
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why are most of my Ent. Security Dashboards are blank? How do I open the flood gates of data or events into ES

SamHTexas
Builder
‎03-24-2021 03:04 PM

Why are most of my Ent. Security Dashboards are blank? How do I open the flood gates of data or events into ES. Matter what options I pick or which dashboard, says no result  found. We have a large environment, where are the events & all the goods & incidents?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-24-2021 04:24 PM

Many ES dashboards are populated by datamodels.  Have you set yours up?  Have you enabled correlation searches appropriate for your data?  Most importantly, is your data CIM-compliant?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

SamHTexas
Builder
‎03-24-2021 09:00 PM

Thank u for your message. Yes, most of the environment was set up before I started. There are 30 or so datamodels mapped to apps & few 1000 saved searches. But the dashboards all pretty much say no data available!! Please advise. Also advise on how to best use the data models I have. Thank u

Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-25-2021 08:50 AM

There is no easy answer for this problem.  I suspect data was not onboarded to be CIM-compliant so now it can't be found by the datamodels. 

Review an empty dashboard to see what it is trying to find.  Verify there is data meeting those requirements (same sourcetype, tags, fields, etc).  Add fields, aliases, and tags as necessary for the search to find the data.  Avoid modifying the built-in datamodels.

Repeat for each empty panel.

---
If this reply helps you, Karma would be appreciated.
Reply

SamHTexas
Builder
‎03-28-2021 11:50 AM

Great, it is making a lot of sense. So what role do Lookup tables make in this picture?

Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-28-2021 12:42 PM

Lookups enrich data.  In ES, they add asset and identity information to notable events in addition to whatever custom enrichments your searches may need.

I doubt lookups are a cause of your blank dashboards, however.  If the lookups were failing then you'd still see *something* on the dashboard.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL  The Splunk AI Assistant for SPL ...

Buttercup Games: Further Dashboarding Techniques (Part 5)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Customers Increasingly Choose Splunk for Observability

For the second year in a row, Splunk was recognized as a Leader in the 2024 Gartner® Magic Quadrant™ for ...
Top