@ND1 Agreed with @sainag_splunk  

Also,

Most ES dashboard expects data in CIM fields or from a specific data model/summary index.

Check fields
Run your correlation search in Search & Reporting
Use the field picker to see if required CIM fields are present
If not, review your field extractions or data model configurations

Check Datamodel
| datamodel <datamodel_name> search

If the data model is empty, review your data sources and field extractions.

Regards,
Prewin
Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a kudos/Karma. Thanks!

@ND1 It's not easy to troubleshoot without a screen share, but typically I recommend:

1. Check the time filter on each dashboard panel
2. Click the magnifying glass on the panel to view the search
3. Expand the search to see what's actually running - you'll typically see macros there
4. Expand those macros using Ctrl + Shift + E (Windows) or Cmd + Shift + E (Mac)
5. Run the expanded search with a broader time range to see if data appears

also check

• Time range mismatch: The ES dashboard is looking for recent data while your correlation search finds older events
• Data model acceleration: Your correlation search might need CIM-compliant field mappings
• Dashboard filters: Check if the dashboard has hidden drilldown tokens or filters applied

check out this user guide: https://help.splunk.com/en/splunk-enterprise-security-8/user-guide/8.0/analytics/available-dashboard...

Additional help: If you have Splunk OnDemand Services credits available, I'd recommend using them to walk through this issue with a Splunk expert who can troubleshoot in real-time.



If this Helps, Pleas Upvote.