Splunk Enterprise Security

When trying to create a dashboard for Risk Analysis In Splunk Enterprise Security, why am I getting the following error: "the search for datamodel 'Risk' failed to parse"

sahiltcs
Path Finder

Hello,

I have Splunk enterprise security version 6.5.3.1 and am trying to create a dashboard for Risk Analysis. When I click on the Risk Analysis tab, I am not able to see any dashboards and also nothing is showing in the Incident Review tab.

I am getting the following error: "The search for datamodel 'Risk' failed to parse, cannot get indexes to search"

Can you please help me figure out why I am getting this error?

Thanks,
Sahil

1 Solution

joebisesi
Path Finder

It sounds like it either the 'risk' index isn't there or there is no data in the 'risk' index, or there is a permissions issue.

So, I would look at two things to start with.

  1. Is there a 'Risk' index, and does it have data? You can also run a search against the 'risk' index.
  2. Go to the Risk Analysis Data Model and hit the drop down for edit, and select 'edit permissions'. I believe it should be set by default to Display for 'All Apps', Everyone = Read, Admin = Write

Hope this helps

View solution in original post

0 Karma

sahiltcs
Path Finder

There is version issue splunk enterprise security, Now we are planning to install new version of security App

0 Karma

joebisesi
Path Finder

It sounds like it either the 'risk' index isn't there or there is no data in the 'risk' index, or there is a permissions issue.

So, I would look at two things to start with.

  1. Is there a 'Risk' index, and does it have data? You can also run a search against the 'risk' index.
  2. Go to the Risk Analysis Data Model and hit the drop down for edit, and select 'edit permissions'. I believe it should be set by default to Display for 'All Apps', Everyone = Read, Admin = Write

Hope this helps

0 Karma

sahiltcs
Path Finder

Any Update Please Confirm

0 Karma

joebisesi
Path Finder

No version bug that I am aware of.
Let me ask a clarifying question.
Are you unable to see the dashboard, or is not finding any results?

0 Karma

sahiltcs
Path Finder

It is not finding any result when I go to Risk analysis TAB Because eventtypes with macros don’t work”.

Do we need to change anything in configuration file or What action we need to perform?

0 Karma

joebisesi
Path Finder

Are you still getting the original error of 'The search for datamodel 'Risk' failed to parse, cannot get indexes to search' ?

0 Karma

sahiltcs
Path Finder

Yes I am getting same error, Its version issue I guess , I asked concered team to install new enterprise security app

Any thoughts ?

Thanks,
Sahil

0 Karma

sahiltcs
Path Finder

There is version issue splunk enterprise security, Now we are planning to install new version of security App

0 Karma

sahiltcs
Path Finder

Hi Joebiesi,

I changed the permissions and run risk index and they have data but still it not works.

Is there any issue Version Bug in the version ?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...