Solved: When trying to create a dashboard for Risk Analysi...

sahiltcs · ‎09-20-2018

Hello,

I have Splunk enterprise security version 6.5.3.1 and am trying to create a dashboard for Risk Analysis. When I click on the Risk Analysis tab, I am not able to see any dashboards and also nothing is showing in the Incident Review tab.

I am getting the following error: "The search for datamodel 'Risk' failed to parse, cannot get indexes to search"

Can you please help me figure out why I am getting this error?

Thanks,
Sahil

joebisesi · ‎09-21-2018

It sounds like it either the 'risk' index isn't there or there is no data in the 'risk' index, or there is a permissions issue.

So, I would look at two things to start with.

Is there a 'Risk' index, and does it have data? You can also run a search against the 'risk' index.
Go to the Risk Analysis Data Model and hit the drop down for edit, and select 'edit permissions'. I believe it should be set by default to Display for 'All Apps', Everyone = Read, Admin = Write

Hope this helps

View solution in original post

sahiltcs · ‎10-16-2018

There is version issue splunk enterprise security, Now we are planning to install new version of security App

joebisesi · ‎09-21-2018

It sounds like it either the 'risk' index isn't there or there is no data in the 'risk' index, or there is a permissions issue.

So, I would look at two things to start with.

Is there a 'Risk' index, and does it have data? You can also run a search against the 'risk' index.
Go to the Risk Analysis Data Model and hit the drop down for edit, and select 'edit permissions'. I believe it should be set by default to Display for 'All Apps', Everyone = Read, Admin = Write

Hope this helps

sahiltcs · ‎09-26-2018

Any Update Please Confirm

joebisesi · ‎10-01-2018

No version bug that I am aware of.
Let me ask a clarifying question.
Are you unable to see the dashboard, or is not finding any results?

sahiltcs · ‎10-02-2018

It is not finding any result when I go to Risk analysis TAB Because eventtypes with macros don’t work”.

Do we need to change anything in configuration file or What action we need to perform?

joebisesi · ‎10-03-2018

Are you still getting the original error of 'The search for datamodel 'Risk' failed to parse, cannot get indexes to search' ?

sahiltcs · ‎10-03-2018

Yes I am getting same error, Its version issue I guess , I asked concered team to install new enterprise security app

Any thoughts ?

Thanks,
Sahil

sahiltcs · ‎10-16-2018

There is version issue splunk enterprise security, Now we are planning to install new version of security App

sahiltcs · ‎09-25-2018

Hi Joebiesi,

I changed the permissions and run risk index and they have data but still it not works.

Is there any issue Version Bug in the version ?

When trying to create a dashboard for Risk Analysis In Splunk Enterprise Security, why am I getting the following error: "the search for datamodel 'Risk' failed to parse"

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...