Splunk Enterprise Security

how to give data to the Splunk Enterprise security app in the splunk

munna
Explorer

Hello,

I have the Splunk ES app in my splunk enterprise. but i can't see the data in my splunk enterprise security app dashboard(means it shows only 0's).How to give the data to the splunk ES and In how many ways we can give data to that?

Labels (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

One does not "give" data to an app.  Apps *search* for data.  If an ES dashboard is not showing data then it's usually because the searches in that dashboard fail to find matching events in your data.

Be aware that ES relies heavily on datamodel accelerations so it's important to set up your datamodels.  Go to Settings->CIM Setup to do that.  Select the datamodels to accelerate and make sure to specify the index(es) that contain data for that DM.  Only accelerate DMs that are relevant to your use cases.

Datamodels depend on data that is onboarded using CIM-compliant field names.  If your data does not use field names from the Common Information Model then it's unlikely to make it into an ES dashboard.

When you bought ES, it should have come with Splunk Professional Services (PS), which would have made sure your ES dashboards light up.

---
If this reply helps you, Karma would be appreciated.

munna
Explorer

HI @richgalloway ,

First of all, thank you for your reply, But I config the CIM model according to this https://docs.splunk.com/Documentation/CIM/4.19.0/User/Alerts data model. After doing that also did not show the data in the ES app Screenshot from 2021-06-07 21-23-51.pngScreenshot from 2021-06-07 21-25-25.png

I have done as you mentioned in this way, but it also did not show the data in the ES dashboards it shows only 0's.

Can you please let me know if I missed any fields in the data model?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

It's not enough to turn on DM acceleration.  It's critical to have the right data in the index to satisfy the particular ES search.  Examine the searches being used by ES to see what fields and values it expects then check your data to make you have what is needed.

---
If this reply helps you, Karma would be appreciated.

munna
Explorer

Hi @richgalloway ,

I created a DM for alerts and accelerated it after that  I created a correlation search for that it showing the data in the dashboards of ES. similarly, i deal with the Splunk OT add-on by accelerating the OT-asset DM and creating a correlation search but, in this case, it shows the events in the ES dashboard instead of showing the data on the Splunk OT add-on dashboards. how to show that data on the Splunk OT dashboards is there any other way to do that please let me know that.

please let me know if anything extra configuration needed.

 
0 Karma

richgalloway
SplunkTrust
SplunkTrust

The Splunk OT add-on adds dashboards to ES.  It is not a standalone app.  You should see a menu called "Operational Technology" in ES.

If you have that menu, examine the dashboard to find out what it is searching for and verify you have that data in your indexes.

---
If this reply helps you, Karma would be appreciated.

munna
Explorer

Hi @richgalloway ,

I added the dashboards of OT  to the ES, I examine the indexes like notable,risk, evt_sum_ot_asset_traffic
now iknow how to fed data into the notables.But incase of other indexes i don't know so.
how the data is stored in the index=risk,index=evt_sum_ot_asset_traffic in the splunk ES and OT add-ons. is there any specific procedure to fed data. please let me know if it has

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The risk index is populated by ES as it processes correlation searches that include a risk factor.

I don't know about the evt_sum_ot_asset_traffic index.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...