Splunk Enterprise Security

When trying to create a dashboard for Risk Analysis In Splunk Enterprise Security, why am I getting the following error: "the search for datamodel 'Risk' failed to parse"

sahiltcs
Path Finder

Hello,

I have Splunk enterprise security version 6.5.3.1 and am trying to create a dashboard for Risk Analysis. When I click on the Risk Analysis tab, I am not able to see any dashboards and also nothing is showing in the Incident Review tab.

I am getting the following error: "The search for datamodel 'Risk' failed to parse, cannot get indexes to search"

Can you please help me figure out why I am getting this error?

Thanks,
Sahil

1 Solution

joebisesi
Path Finder

It sounds like it either the 'risk' index isn't there or there is no data in the 'risk' index, or there is a permissions issue.

So, I would look at two things to start with.

  1. Is there a 'Risk' index, and does it have data? You can also run a search against the 'risk' index.
  2. Go to the Risk Analysis Data Model and hit the drop down for edit, and select 'edit permissions'. I believe it should be set by default to Display for 'All Apps', Everyone = Read, Admin = Write

Hope this helps

View solution in original post

0 Karma

sahiltcs
Path Finder

There is version issue splunk enterprise security, Now we are planning to install new version of security App

0 Karma

joebisesi
Path Finder

It sounds like it either the 'risk' index isn't there or there is no data in the 'risk' index, or there is a permissions issue.

So, I would look at two things to start with.

  1. Is there a 'Risk' index, and does it have data? You can also run a search against the 'risk' index.
  2. Go to the Risk Analysis Data Model and hit the drop down for edit, and select 'edit permissions'. I believe it should be set by default to Display for 'All Apps', Everyone = Read, Admin = Write

Hope this helps

0 Karma

sahiltcs
Path Finder

Any Update Please Confirm

0 Karma

joebisesi
Path Finder

No version bug that I am aware of.
Let me ask a clarifying question.
Are you unable to see the dashboard, or is not finding any results?

0 Karma

sahiltcs
Path Finder

It is not finding any result when I go to Risk analysis TAB Because eventtypes with macros don’t work”.

Do we need to change anything in configuration file or What action we need to perform?

0 Karma

joebisesi
Path Finder

Are you still getting the original error of 'The search for datamodel 'Risk' failed to parse, cannot get indexes to search' ?

0 Karma

sahiltcs
Path Finder

Yes I am getting same error, Its version issue I guess , I asked concered team to install new enterprise security app

Any thoughts ?

Thanks,
Sahil

0 Karma

sahiltcs
Path Finder

There is version issue splunk enterprise security, Now we are planning to install new version of security App

0 Karma

sahiltcs
Path Finder

Hi Joebiesi,

I changed the permissions and run risk index and they have data but still it not works.

Is there any issue Version Bug in the version ?

0 Karma
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...