Among other things, I have the Enterprise Security and Splunk_TA_ipfix apps installed and am successfully indexing IPFIX data (into the index named "ipfix"). From the search app, when I dump the index with the search command: "index=ipfix" I can see the data and the interesting fields are parsed out like I expect. When I do the same search in the Enteprise Sec app, the events show but none of the fields show on the left side. I'll guess this is a permissions issue, but looked at all of the places I could think of and everything looks like I think it should.
Can somebody explain what I'm missing to make this work?
... View more