Hey @rafeeqsid25,

I'm assuming by your saying there's no data on the dashboard, there's no data on any of them? Your "all ES datamodels are accelerated" comment kind of tips me off, as it's not too common to see an environment where they all are.

There's kind of a lot to go through here, and I don't know how familiar you are with Splunk or its mechanisms, so I'll start at the baseline.

Do you know if your data is CIM-compliant? You can get an overview of CIM, the Common Information Model, here: https://docs.splunk.com/Documentation/CIM/4.12.0/User/Overview

ES dashboards are populated by searches based - mostly - on the summaries created by accelerated data models. But the acceleration of that data is dependent on the data being normalized to that Common Information Model.

Try this. Datamodel summaries - what model accelerations create - are generated by underlying searches. Those searches look something like this:

`relevant_indexes` tag=relevant

Take any of those models, and run their searches ad-hoc. Do you get results? If not, they're probably not CIM compliant, or you just don't have the data applicable to that model. Or both.

What ES dashboard? The security posture?

Have you enabled or created correlation searches that have alert actions as create notable events? If not, then you can't expect dashboards based on notables if they don't exist yet.

Let us know