I want to see my data in the ES dashboard Security Domains -> Endpoint -> Endpoint Changes.
I created the following things:
props.conf with CIM compliant field aliases.
[MyEventType] search = index=MyIndex sourcetype=MySourcetype
[eventtype=MyEventType] change=enabled endpoint=enabled
I can successfully search the events with tag=change and tag=endpoint. I can also successfully search the data with the data model constraint (`cim_Change_indexes`) tag=change NOT (object_category=file OR object_category=directory OR object_category=registry) tag=endpoint.
However, the dashboard stays empty. When I manually execute one of the dashboard searches | `tstats` append=T count from datamodel=Change.All_Changes where nodename="All_Changes.Endpoint_Changes" I get not results. When I change nodename="All_Changes.Endpoint_Changes" to nodename="All_Changes" I see my events.
So the question is, what do I need to do to get my events in the node All_Changes.Endpoint_Changes?
@dominikatvastli - Perhaps this could help, to understand the dependency on the datamodel for each dashboard. https://docs.splunk.com/Documentation/ES/6.6.0/Admin/Dashboardrequirements . You normally don't need to include the index=MyIndex in your eventtypes.conf, sourcetype alone will do, unless you want the index. Also, I assume the index is added to the Spunk_SA_CIM/local/macros.conf for cim_Change_indexes.
Hello @dominikatvastli ,
Can you try with this instead:
| tstats allow_old_summaries=t append=T count from datamodel=Change.All_Changes where nodename="All_Changes.Endpoint_Changes"
Let me know if this helps.
***If this helped, please accept it as a solution. It helps others to find the solution for similar issues quickly.***