Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why are most of my Ent. Security Dashboards are blank? How do I open the flood gates of data or events into ES

SamHTexas
Builder
‎03-24-2021 03:04 PM

Why are most of my Ent. Security Dashboards are blank? How do I open the flood gates of data or events into ES. Matter what options I pick or which dashboard, says no result  found. We have a large environment, where are the events & all the goods & incidents?

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-24-2021 04:24 PM

Many ES dashboards are populated by datamodels.  Have you set yours up?  Have you enabled correlation searches appropriate for your data?  Most importantly, is your data CIM-compliant?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

SamHTexas
Builder
‎03-24-2021 09:00 PM

Thank u for your message. Yes, most of the environment was set up before I started. There are 30 or so datamodels mapped to apps & few 1000 saved searches. But the dashboards all pretty much say no data available!! Please advise. Also advise on how to best use the data models I have. Thank u

Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-25-2021 08:50 AM

There is no easy answer for this problem.  I suspect data was not onboarded to be CIM-compliant so now it can't be found by the datamodels. 

Review an empty dashboard to see what it is trying to find.  Verify there is data meeting those requirements (same sourcetype, tags, fields, etc).  Add fields, aliases, and tags as necessary for the search to find the data.  Avoid modifying the built-in datamodels.

Repeat for each empty panel.

---
If this reply helps you, Karma would be appreciated.
Reply

SamHTexas
Builder
‎03-28-2021 11:50 AM

Great, it is making a lot of sense. So what role do Lookup tables make in this picture?

Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-28-2021 12:42 PM

Lookups enrich data.  In ES, they add asset and identity information to notable events in addition to whatever custom enrichments your searches may need.

I doubt lookups are a cause of your blank dashboards, however.  If the lookups were failing then you'd still see *something* on the dashboard.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...