Did you ever find a solution for this? Seeing this in our environment as well.  ... View more

Hello! Did you ever figure out what was causing this?  ... View more

As a heads up: they are tracking this as a bug. I had a support ticket open for the same issue after an upgrade. ... View more

It's version 3.3.3; the screenshot is attached to the original post. It doesn't give an error at all, it just doesn't display the matrix. When I look at the Job Inspector, there aren't any errors, either.  ... View more

I just poked around in that screen, but it doesn't seem to be what I'm looking for. Previously, the MITRE matrix loaded just fine; I have content enabled that should reflect here. The rest of the page loads as well; it's just the one matrix that isn't working.  ... View more

I have a support ticket open about this, and below is the latest update. Basically, there is a discrepancy between the way tstats works with the different combinations of events/search definitions in data models. Splunk has a JIRA ticket open to address this discrepancy, but no resolution is defined as of yet. "As we discuss with my colleague as well the tstats searches against accelerated DMs relying on a Root Search Dataset, but part of a Mixed Model (which means that it contains at least also one Root Event Dataset will always fail regardless if the constraint search is or is NOT a streaming search, as this is currently not supported. Basically this is what happens on our case and the SPL ticket states. Here is the SPL ticket in case you want to verify SPL-167885. As we saw other option to add using in the search are using the "| datamodel" or the "| from" command. https://docs.splunk.com/Documentation/Splunk/8.0.3/SearchReference/Datamodel https://docs.splunk.com/Documentation/Splunk/8.0.3/SearchReference/From " ... View more

So, I've noticed that this does not work for the Endpoint datamodel. For Endpoint, it has to be datamodel=Endpoint. without a nodename. It seems to be the only datamodel that this is occurring for at this time. Is this an issue that you've come across? ... View more

Only the file/folder sourcetypes allow for the 'location' field to be populated, though, and that's what we're trying to get. Thank you for the information you've gotten thus far! ... View more

Negative; I have a support case still open about it. I'll update as I get useful information. ... View more

This worked. I feel silly. Thank you!! ... View more

Okay; if you leave the folder/file fields empty, I was assuming it would just pull ALL of the fields. I'll add the path_collection to them and see if it makes a difference. Thank you. ... View more

I did try to configure via UI, but I've reverted to the hard coding for testing at least. I saw in a different post that there may be a SSO issue, so I figured I'd start there. The query I'm using is exactly the one you mentioned above just so I can verify functionality. I'm trying to work around the issue by creating the filter within Netwitness itself for the time being, but it's not cooperating either (of course). haha. ... View more

I have, indeed. I'm kind of hoping it's a credential issue on the Box side, but there's not a lot to support that yet. Still looking into it. ... View more

I'm actually getting the same errors. While I'm getting basic events, I'm not getting the folder, group, or user events. Any ideas? ... View more