Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why is the Splunk Enterprise Security Malware Center not displaying infection counts?

daniel333
Builder
‎03-02-2017 06:32 PM

All,

I have installed Splunk Enterprise Security (ES) and the Clam AV apps. Searching tag=malware tag=attack works, bringing up the expected event. I can even see it in the visualizations. But I am not seeing it the host itself showing as infected. Any idea why? Very new to ES so I am not sure where to start on troubleshooting this.

alt text

Preview file
46 KB
0 Karma
Reply

bcyates
Communicator
‎08-23-2018 02:36 PM

Those two indicators at the top look for 'action=allowed.' Your action is deferred so it does not match the search that the Key Indicators are looking for

0 Karma
Reply

adayton20
Contributor
‎03-03-2017 03:33 AM

A few things I noticed from your picture. I'm purely speculating because I don't know what those underlying searches look like.

Did you check the date and time of that event in comparison to the time you were searching for it?
Did you check whether the TZ and/or timestamp settings are correct for both the host you used the Eicar test file on, and the indexer?

I looked at the time chart dates and times in your picture, and compared that to the time you posted. It looks as if that event might have a time stamp in the future. Not sure what time zone you're in, but I've run into an issue before where an appliance had the incorrect system time set for events, and events were showing up in Splunk in the future. I also noticed something similar with my case that you also did; the events show up in a time chart, but not in a single value count or any adhoc search that specified a particular time range that wasn't all time.

If that isn't the case, I could take a look at the searches for you?

0 Karma
Reply
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey


Introducing Unified TDIR with the New Enterprise Security 8.2

Read the blog
Get Updates on the Splunk Community!

Index This | What’s a riddle wrapped in an enigma?

September 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

BORE at .conf25

Boss Of Regular Expression (BORE) was an interactive session run again this year at .conf25 by the brilliant ...

OpenTelemetry for Legacy Apps? Yes, You Can!

This article is a follow-up to my previous article posted on the OpenTelemetry Blog, "Your Critical Legacy App ...