Splunk Enterprise Security
Highlighted

When trying to create a dashboard for Risk Analysis In Splunk Enterprise Security, why am I getting the following error: "the search for datamodel 'Risk' failed to parse"

Path Finder

Hello,

I have Splunk enterprise security version 6.5.3.1 and am trying to create a dashboard for Risk Analysis. When I click on the Risk Analysis tab, I am not able to see any dashboards and also nothing is showing in the Incident Review tab.

I am getting the following error: "The search for datamodel 'Risk' failed to parse, cannot get indexes to search"

Can you please help me figure out why I am getting this error?

Thanks,
Sahil

Highlighted

Re: When trying to create a dashboard for Risk Analysis In Splunk Enterprise Security, why am I getting the following error: "the search for datamodel 'Risk' failed to parse"

Path Finder

It sounds like it either the 'risk' index isn't there or there is no data in the 'risk' index, or there is a permissions issue.

So, I would look at two things to start with.

  1. Is there a 'Risk' index, and does it have data? You can also run a search against the 'risk' index.
  2. Go to the Risk Analysis Data Model and hit the drop down for edit, and select 'edit permissions'. I believe it should be set by default to Display for 'All Apps', Everyone = Read, Admin = Write

Hope this helps

View solution in original post

0 Karma
Highlighted

Re: When trying to create a dashboard for Risk Analysis In Splunk Enterprise Security, why am I getting the following error: "the search for datamodel 'Risk' failed to parse"

Path Finder

Hi Joebiesi,

I changed the permissions and run risk index and they have data but still it not works.

Is there any issue Version Bug in the version ?

0 Karma
Highlighted

Re: When trying to create a dashboard for Risk Analysis In Splunk Enterprise Security, why am I getting the following error: "the search for datamodel 'Risk' failed to parse"

Path Finder

Any Update Please Confirm

0 Karma
Highlighted

Re: When trying to create a dashboard for Risk Analysis In Splunk Enterprise Security, why am I getting the following error: "the search for datamodel 'Risk' failed to parse"

Path Finder

No version bug that I am aware of.
Let me ask a clarifying question.
Are you unable to see the dashboard, or is not finding any results?

0 Karma
Highlighted

Re: When trying to create a dashboard for Risk Analysis In Splunk Enterprise Security, why am I getting the following error: "the search for datamodel 'Risk' failed to parse"

Path Finder

It is not finding any result when I go to Risk analysis TAB Because eventtypes with macros don’t work”.

Do we need to change anything in configuration file or What action we need to perform?

0 Karma
Highlighted

Re: When trying to create a dashboard for Risk Analysis In Splunk Enterprise Security, why am I getting the following error: "the search for datamodel 'Risk' failed to parse"

Path Finder

Are you still getting the original error of 'The search for datamodel 'Risk' failed to parse, cannot get indexes to search' ?

0 Karma
Highlighted

Re: When trying to create a dashboard for Risk Analysis In Splunk Enterprise Security, why am I getting the following error: "the search for datamodel 'Risk' failed to parse"

Path Finder

Yes I am getting same error, Its version issue I guess , I asked concered team to install new enterprise security app

Any thoughts ?

Thanks,
Sahil

0 Karma
Highlighted

Re: When trying to create a dashboard for Risk Analysis In Splunk Enterprise Security, why am I getting the following error: "the search for datamodel 'Risk' failed to parse"

Path Finder

There is version issue splunk enterprise security, Now we are planning to install new version of security App

0 Karma
Highlighted

Re: When trying to create a dashboard for Risk Analysis In Splunk Enterprise Security, why am I getting the following error: "the search for datamodel 'Risk' failed to parse"

Path Finder

There is version issue splunk enterprise security, Now we are planning to install new version of security App

0 Karma