Dashboards & Visualizations

Why is the proofpoint dashboard display "waiting for data"?

New Member

hello Everybody
When I open the dashboard, panels using basic search do not work, but if I open them in the search, I get the results I want. I will provide the XML. Why could it happen? Is there some kind of missing feature that prevents me from seeing the results in the dashboard or application even though I can see the correct results when the panel is open in the search?

      <query>| pivot proofpoint proofpoint_search count(proofpoint_search) AS "Count of proofpoint_search" SPLITROW _time AS _time PERIOD auto SPLITCOL type3 FILTER type3 is "*" SORT 100 _time ROWSUMMARY 0 COLSUMMARY 0 NUMCOLS 100 SHOWOTHER 0 </query>

Thanks in advance.

0 Karma



Could be data-model acceleration problem. If it is newly installed add-on, kindly check whether the data-model is accelerated 100%. Please also check your indexer name is matching with your data-model constrain macro. By default that macro takes index=main, if it is different index, then please update with your latest index details to data get populated.


0 Karma

Path Finder


This is likely due to your data not going to the correct index. Could you follow these steps below to see if it corrects your problem?

Changing the Index
By default this app uses the "main" index to look for Proofpoint logs. To change this to an index that the Proofpoint Email Security Add-On uses, you need to edit the get_pps_index macro. Here are the steps:

Navigate to Settings->Advanced Search and select "Search macros"
Change the app context to "Proofpoint Email Security App for Splunk"
Select the macro named "get_pps_index"
Change index=main to the correct index. Please make sure this index matches the one used the Proofpoint Email Security Add-On for Splunk.
Save the configuration.

Get Updates on the Splunk Community!

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...