Dashboards & Visualizations

Why is my sophos dashboard not showing data?

madhuys
Loves-to-Learn

I have sophos and sonicwall firewall in my network and installed splunk for log gathering. Then I configured sophos in splunk, collecting all logs from sophos. But showing no data in sophos dashboard.

 

Please guide me to get sophos all alerts in dash

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Installing an app and collecting logs is not unlike digging a tunnel from both ends.  If you're not careful, the ends won't meet.

No doubt the Sophos dashboard is looking for specific data in a specific place.  Did you put your logs in the right place (index)?  Do your logs have the data the dashboard is looking for? 

Check the timestamps on the logs because if they're incorrect then Splunk won't find the data.  For  instance, if the time zone is off then events may be indexed "in the future".

You may need to read the dashboard code to see exactly what is being sought.

---
If this reply helps you, Karma would be appreciated.
0 Karma

madhuys
Loves-to-Learn

Thanks for the replay.  I have followed the mentioned URL. it is fetching logs from sophos firewall. I'm missing something here. please guide.

https://community.sophos.com/sophos-integrations/w/integrations/106/splunk-add-on-for-sophos-next-ge...

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

As I stated previously, ingesting data is only part of the puzzle.  Have you examined the app to see what data it expects and where it expects to find it?  Do you have the data the app is expecting?

---
If this reply helps you, Karma would be appreciated.
0 Karma

madhuys
Loves-to-Learn

Thanks for support. I tried to find the problem but failed.  How to diagnose line by line to identify the  problem.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

HOW did you try to solve the problem?

This probably is not a line-by-line debugging scenario.  This is a case of examining the search(es) used by the dashboard and confirming you have the data sought by the search.

Use the Edit button to open the dashboard then click the magnifying glass icon to see the search query.  Copy that query into a separate search tab/window.  Set the time range to match that used by the dashboard.  Remove everything from the first pipe (|) to the end of the query and run the search.  Verify you get results.  If you don't then something in the new query doesn't match your data and will have to be modified.

If you do get results, then add the pipe and command from the original query and run the search again.  Verify you get results.  Repeat this process until you get no results.  That command will be the one causing the problem.  Modify that command so it works with the data you have.  Copy the resulting query back to the dashboard.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...