Splunk Search

Splunk app for AWS security dashboard shows '0' data

Gaikwad
Explorer

Splunk app for AWS security dashboard shows '0' data, need help to fix this issue  



Gaikwad_0-1698045651246.png

when I try to run/edit query shows error as below 

Gaikwad_1-1698045725815.png

 

Labels (1)
0 Karma

tej57
Contributor

Hey @Gaikwad,

The error message itself shows what the issue is. The dashboards in the Splunk App for AWS Security are powered by the macro "aws-security-cloudtrail-service". By default, the macro definition is present in the app. However, it doesn't know what index to look into. You can navigate to Settings -> Advanced Search -> Search Macros and locate the macro in the window. Then you'll need to define what index does it need to search to and add the arguments accordingly. 

In addition to this, you'll also need to make sure that the permissions to the macro are adequate for a user to access it outside the app or should at least have read access to all the users for the dashboard to load the panels properly. Once the macro is defined with the appropriate index definition and the permissions are properly provided, the dashboard panels will show the expected results.

 

Thanks,
Tejas.

---

If the above solution is helpful, an upvote is appreciated. 

0 Karma

Gaikwad
Explorer

@tej57 is this correct 

Gaikwad_0-1698389626702.png

 

0 Karma

tej57
Contributor

Hey @Gaikwad ,

I think this is a custom macro created by you. The default dashboards in the app uses a few macros that comes shipped with the app itself. You can change the filter from Visible in the app to Created in the app and you'll be able to identify a list of macros that comes by default.  

For example for the first panel to display IAM errors,  it looks for the following macro: aws-security-cloudtrail-service("IAM", $notable$).

tej57_0-1698397180609.png

The macro applies the lookup command and fetches the values from aws_security_all_eventName lookup file. Below is it's definition from the app.

lookup aws_security_all_eventName eventName OUTPUT function | fillnull value="N/A" function | search function="$service$" | eval notable=if(match(eventName, "(^Get*|^List*|^Describe*)"), 0, 1) | search notable=$notable$

 

Similarly, the further panels would be using few other macros and populating the panels. You'll need to check those macro definitions and update them as per your environment. That should help you load the dashboard properly.

 

Thanks,
Tejas.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...