- Splunk Answers
- :
- Splunk Premium Solutions
- :
- Security Premium Solutions
- :
- Splunk Enterprise Security
- :
- Why are the dashboards not displaying any data in ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why are the dashboards not displaying any data in the Enterprise Security app?
So I recently had to nuke the search head that our Enterprise Security app was running on. I have reinstalled everything and setup search peers but I am having trouble getting any of the dashboards to display any data. Any help with this would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The data in the ES dashboards is retrieved from the DataModels residing in your indexers.
The first thing to test is if you can search anything from ma data model, like *| from datamodel:. *. Let me know if you have results for any of the datamodels you are using
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I get nothing when running that string in search.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you specifiying one data model?
Like | from datamodel:"Network_Traffic"."All_Traffic"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I believe it is like this
| datamodel Authentication search | table Authentication.*
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, That search returns a ton of results. I have made some progress and have got my identities and assets lists created in ES. Some of the issues I'm having now are:
1. The two lists do not share a common value, so I'm not sure how to merge or if they can even merged
2. When I run a search Asset/Identity Investigator, It returns a lot of bogus PII events. I do have the demo data disabled, So I'm not sure why these events are being labeled as such.
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...
Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...
