Solved: Why is gia_summary index not populating?

Stefanie · ‎01-03-2022

I've been investigating why I started to not receive ES events for some time now. After upgrading ES, I had to reinstall a lot of the apps that were previously installed & configured. One of the things I have not been able to resolve is how to get ES to detect "Geographically Improbable Access Detected" again.

My Authentication Datamodel is receiving events again.

My asset_lookup_by_str has events

However, my asset_lookup_by_cidr does not return results. So I believe this may be causing it.

How can I get the asset_lookup_by_cidr to populate again?

Stefanie · ‎02-22-2022

Just an update in case anyone in the future has this problem.

I had pull a list of all assets with CIDR information, and then create a lookup for CIDR.

I also populated the data with city, country, lat, long. That seemed to fix it!

View solution in original post

Stefanie · ‎02-22-2022

Just an update in case anyone in the future has this problem.

I had pull a list of all assets with CIDR information, and then create a lookup for CIDR.

I also populated the data with city, country, lat, long. That seemed to fix it!

Why is gia_summary index not populating?

using Enterprise Security

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life