Splunk Enterprise Security

When trying to create a dashboard for Risk Analysis In Splunk Enterprise Security, why am I getting the following error: "the search for datamodel 'Risk' failed to parse"

sahiltcs
Path Finder

Hello,

I have Splunk enterprise security version 6.5.3.1 and am trying to create a dashboard for Risk Analysis. When I click on the Risk Analysis tab, I am not able to see any dashboards and also nothing is showing in the Incident Review tab.

I am getting the following error: "The search for datamodel 'Risk' failed to parse, cannot get indexes to search"

Can you please help me figure out why I am getting this error?

Thanks,
Sahil

1 Solution

joebisesi
Path Finder

It sounds like it either the 'risk' index isn't there or there is no data in the 'risk' index, or there is a permissions issue.

So, I would look at two things to start with.

  1. Is there a 'Risk' index, and does it have data? You can also run a search against the 'risk' index.
  2. Go to the Risk Analysis Data Model and hit the drop down for edit, and select 'edit permissions'. I believe it should be set by default to Display for 'All Apps', Everyone = Read, Admin = Write

Hope this helps

View solution in original post

0 Karma

sahiltcs
Path Finder

There is version issue splunk enterprise security, Now we are planning to install new version of security App

0 Karma

joebisesi
Path Finder

It sounds like it either the 'risk' index isn't there or there is no data in the 'risk' index, or there is a permissions issue.

So, I would look at two things to start with.

  1. Is there a 'Risk' index, and does it have data? You can also run a search against the 'risk' index.
  2. Go to the Risk Analysis Data Model and hit the drop down for edit, and select 'edit permissions'. I believe it should be set by default to Display for 'All Apps', Everyone = Read, Admin = Write

Hope this helps

0 Karma

sahiltcs
Path Finder

Any Update Please Confirm

0 Karma

joebisesi
Path Finder

No version bug that I am aware of.
Let me ask a clarifying question.
Are you unable to see the dashboard, or is not finding any results?

0 Karma

sahiltcs
Path Finder

It is not finding any result when I go to Risk analysis TAB Because eventtypes with macros don’t work”.

Do we need to change anything in configuration file or What action we need to perform?

0 Karma

joebisesi
Path Finder

Are you still getting the original error of 'The search for datamodel 'Risk' failed to parse, cannot get indexes to search' ?

0 Karma

sahiltcs
Path Finder

Yes I am getting same error, Its version issue I guess , I asked concered team to install new enterprise security app

Any thoughts ?

Thanks,
Sahil

0 Karma

sahiltcs
Path Finder

There is version issue splunk enterprise security, Now we are planning to install new version of security App

0 Karma

sahiltcs
Path Finder

Hi Joebiesi,

I changed the permissions and run risk index and they have data but still it not works.

Is there any issue Version Bug in the version ?

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...