Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why is the proofpoint dashboard display "waiting for data"?

ALLIACOM
New Member
‎03-02-2018 07:18 AM

hello Everybody
When I open the dashboard, panels using basic search do not work, but if I open them in the search, I get the results I want. I will provide the XML. Why could it happen? Is there some kind of missing feature that prevents me from seeing the results in the dashboard or application even though I can see the correct results when the panel is open in the search?

    <search>
      <query>| pivot proofpoint proofpoint_search count(proofpoint_search) AS "Count of proofpoint_search" SPLITROW _time AS _time PERIOD auto SPLITCOL type3 FILTER type3 is "*" SORT 100 _time ROWSUMMARY 0 COLSUMMARY 0 NUMCOLS 100 SHOWOTHER 0 </query>

Thanks in advance.

0 Karma
Reply

sridharks92
Engager
‎01-26-2020 09:40 AM

Hi,

Could be data-model acceleration problem. If it is newly installed add-on, kindly check whether the data-model is accelerated 100%. Please also check your indexer name is matching with your data-model constrain macro. By default that macro takes index=main, if it is different index, then please update with your latest index details to data get populated.

Thanks.

0 Karma
Reply

eckolp2003
Path Finder
‎03-13-2018 01:13 PM

Hello,

This is likely due to your data not going to the correct index. Could you follow these steps below to see if it corrects your problem?

Changing the Index
By default this app uses the "main" index to look for Proofpoint logs. To change this to an index that the Proofpoint Email Security Add-On uses, you need to edit the get_pps_index macro. Here are the steps:

Navigate to Settings->Advanced Search and select "Search macros"
Change the app context to "Proofpoint Email Security App for Splunk"
Select the macro named "get_pps_index"
Change index=main to the correct index. Please make sure this index matches the one used the Proofpoint Email Security Add-On for Splunk.
Save the configuration.

Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...