When I open the dashboard, panels using basic search do not work, but if I open them in the search, I get the results I want. I will provide the XML. Why could it happen? Is there some kind of missing feature that prevents me from seeing the results in the dashboard or application even though I can see the correct results when the panel is open in the search?
<search> <query>| pivot proofpoint proofpoint_search count(proofpoint_search) AS "Count of proofpoint_search" SPLITROW _time AS _time PERIOD auto SPLITCOL type3 FILTER type3 is "*" SORT 100 _time ROWSUMMARY 0 COLSUMMARY 0 NUMCOLS 100 SHOWOTHER 0 </query>
Thanks in advance.
Could be data-model acceleration problem. If it is newly installed add-on, kindly check whether the data-model is accelerated 100%. Please also check your indexer name is matching with your data-model constrain macro. By default that macro takes index=main, if it is different index, then please update with your latest index details to data get populated.
This is likely due to your data not going to the correct index. Could you follow these steps below to see if it corrects your problem?
Changing the Index
By default this app uses the "main" index to look for Proofpoint logs. To change this to an index that the Proofpoint Email Security Add-On uses, you need to edit the get_pps_index macro. Here are the steps:
Navigate to Settings->Advanced Search and select "Search macros"
Change the app context to "Proofpoint Email Security App for Splunk"
Select the macro named "get_pps_index"
Change index=main to the correct index. Please make sure this index matches the one used the Proofpoint Email Security Add-On for Splunk.
Save the configuration.