Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why is notable index empty?

NeedNotToKnow
Explorer
‎05-08-2023 03:35 AM

After installing the Splunk Enterprise Security (ES) app using the splunk-enterprise-security_701.spl file, I noticed that the "Security Posture" dashboard was empty and searching for index=notable returned no results. Upon further investigation, I discovered that there was no inputs.conf file present in the /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/local directory

 

 

 

 

 

 

 
 
 
 
 
 
 
Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎05-08-2023 03:44 AM

Hi @NeedNotToKnow,

before installing and configuring ES, it's a best practice to check that you're receiving all the data flows of your perimeter and that these data flows are all normalized.

You can check normalization checking if the Add-Ons you used to ingest logs are all CIM 4.x compliant.

When you are sure to have all the data flows of your perimeter, you can go in [Configure > Content > Content Management ] and enable the Correlation Searches that you can use with your data flows.

I hint to make a propedeutic analysis on the Correlation Searches that it's possible to enable with your data; you can do this manually or using the Splunk Security Essentials App (https://splunkbase.splunk.com/app/3435).

I hint to search in the YouTube Splunk Channel some videos that describe hot to install and configure ES.

Ciao.

Giuseppe

0 Karma
Reply

NeedNotToKnow
Explorer
‎05-08-2023 04:37 AM

This didn't help

Can you give me a video to configure ES?

And why I didn't have inputs.conf?

 
 
 
Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎05-08-2023 05:09 AM

Hi @NeedNotToKnow,

you don't have inputs.conf because this file is usually on the forwarders that ingest data flows, not on the ES server.

About ES configuring, it isn't so immediate, and I hint to follow a training, otherwise it will very hard!

Anyway, here you can find some documentatin and tutorials:

https://lantern.splunk.com/Security/Getting_Started/Configuring_and_optimizing_Enterprise_Security

https://www.youtube.com/watch?v=YMtJjoVk4q0

https://www.youtube.com/watch?v=IA2QwdpCm74

https://www.youtube.com/watch?v=QdM6JvnYu7g

https://www.youtube.com/results?search_query=splunk+enterprise+security

Ciao.

Giuseppe

0 Karma
Reply

NeedNotToKnow
Explorer
‎05-08-2023 06:41 AM

I can’t solve the problem

index = notable

is empty..

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎05-08-2023 06:53 AM

Hi @NeedNotToKnow,

check if you have events in Data Models and if you activated some Correlation Search.

Notable index receive events from the CSs, if you don't enable them and they don't trigger alerts, you'll not have notables.

I cannot hint a CS to start because they depends on the data you have.

As I said, install the Security Essentials App to see which CS are possible to enable.

Ciao.

Giuseppe

0 Karma
Reply

NeedNotToKnow
Explorer
‎05-11-2023 04:03 AM

Sorry I bothered you many times

Notable get its events from correlation searches ok?

But when I install SPLUNK ES there are many prebuilt CSs

So my task just go and enable them, right?

But these correlation searches run on what index?

For example, if I have two indexes firewall-1 & firewall-2

Is it by default will run these CSs on both of indexes?

Or should I manually edit it? If yes, How?

Did you get me? Sorry for bothering

 
 
 
Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...