Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk app for AWS security dashboard shows '0' data

Gaikwad
Explorer
‎10-23-2023 12:23 AM

Splunk app for AWS security dashboard shows '0' data, need help to fix this issue  



Gaikwad_0-1698045651246.png

when I try to run/edit query shows error as below 

Gaikwad_1-1698045725815.png

 

Labels (1)
Labels
0 Karma
Reply

tej57
Communicator
‎10-23-2023 05:08 AM

Hey @Gaikwad,

The error message itself shows what the issue is. The dashboards in the Splunk App for AWS Security are powered by the macro "aws-security-cloudtrail-service". By default, the macro definition is present in the app. However, it doesn't know what index to look into. You can navigate to Settings -> Advanced Search -> Search Macros and locate the macro in the window. Then you'll need to define what index does it need to search to and add the arguments accordingly. 

In addition to this, you'll also need to make sure that the permissions to the macro are adequate for a user to access it outside the app or should at least have read access to all the users for the dashboard to load the panels properly. Once the macro is defined with the appropriate index definition and the permissions are properly provided, the dashboard panels will show the expected results.

 

Thanks,
Tejas.

---

If the above solution is helpful, an upvote is appreciated. 

0 Karma
Reply

Gaikwad
Explorer
‎10-26-2023 11:53 PM

@tej57 is this correct 

Gaikwad_0-1698389626702.png

 

0 Karma
Reply

tej57
Communicator
‎10-27-2023 02:03 AM

Hey @Gaikwad ,

I think this is a custom macro created by you. The default dashboards in the app uses a few macros that comes shipped with the app itself. You can change the filter from Visible in the app to Created in the app and you'll be able to identify a list of macros that comes by default.  

For example for the first panel to display IAM errors,  it looks for the following macro: aws-security-cloudtrail-service("IAM", $notable$).

tej57_0-1698397180609.png

The macro applies the lookup command and fetches the values from aws_security_all_eventName lookup file. Below is it's definition from the app.

lookup aws_security_all_eventName eventName OUTPUT function | fillnull value="N/A" function | search function="$service$" | eval notable=if(match(eventName, "(^Get*|^List*|^Describe*)"), 0, 1) | search notable=$notable$

 

Similarly, the further panels would be using few other macros and populating the panels. You'll need to check those macro definitions and update them as per your environment. That should help you load the dashboard properly.

 

Thanks,
Tejas.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...