I have the Splunk ES app in my splunk enterprise. but i can't see the data in my splunk enterprise security app dashboard(means it shows only 0's).How to give the data to the splunk ES and In how many ways we can give data to that?
One does not "give" data to an app. Apps *search* for data. If an ES dashboard is not showing data then it's usually because the searches in that dashboard fail to find matching events in your data.
Be aware that ES relies heavily on datamodel accelerations so it's important to set up your datamodels. Go to Settings->CIM Setup to do that. Select the datamodels to accelerate and make sure to specify the index(es) that contain data for that DM. Only accelerate DMs that are relevant to your use cases.
Datamodels depend on data that is onboarded using CIM-compliant field names. If your data does not use field names from the Common Information Model then it's unlikely to make it into an ES dashboard.
When you bought ES, it should have come with Splunk Professional Services (PS), which would have made sure your ES dashboards light up.
HI @richgalloway ,
First of all, thank you for your reply, But I config the CIM model according to this https://docs.splunk.com/Documentation/CIM/4.19.0/User/Alerts data model. After doing that also did not show the data in the ES app
I have done as you mentioned in this way, but it also did not show the data in the ES dashboards it shows only 0's.
Can you please let me know if I missed any fields in the data model?
It's not enough to turn on DM acceleration. It's critical to have the right data in the index to satisfy the particular ES search. Examine the searches being used by ES to see what fields and values it expects then check your data to make you have what is needed.
Hi @richgalloway ,
I created a DM for alerts and accelerated it after that I created a correlation search for that it showing the data in the dashboards of ES. similarly, i deal with the Splunk OT add-on by accelerating the OT-asset DM and creating a correlation search but, in this case, it shows the events in the ES dashboard instead of showing the data on the Splunk OT add-on dashboards. how to show that data on the Splunk OT dashboards is there any other way to do that please let me know that.
please let me know if anything extra configuration needed.
The Splunk OT add-on adds dashboards to ES. It is not a standalone app. You should see a menu called "Operational Technology" in ES.
If you have that menu, examine the dashboard to find out what it is searching for and verify you have that data in your indexes.
Hi @richgalloway ,
I added the dashboards of OT to the ES, I examine the indexes like notable,risk, evt_sum_ot_asset_traffic
now iknow how to fed data into the notables.But incase of other indexes i don't know so.
how the data is stored in the index=risk,index=evt_sum_ot_asset_traffic in the splunk ES and OT add-ons. is there any specific procedure to fed data. please let me know if it has
The risk index is populated by ES as it processes correlation searches that include a risk factor.
I don't know about the evt_sum_ot_asset_traffic index.