Hello,
This is likely due to your data not going to the correct index. Could you follow these steps below to see if it corrects your problem?
Changing the Index
By default this app uses the "main" index to look for Proofpoint logs. To change this to an index that the Proofpoint Email Security Add-On uses, you need to edit the get_pps_index macro. Here are the steps:
Navigate to Settings->Advanced Search and select "Search macros"
Change the app context to "Proofpoint Email Security App for Splunk"
Select the macro named "get_pps_index"
Change index=main to the correct index. Please make sure this index matches the one used the Proofpoint Email Security Add-On for Splunk.
Save the configuration.
... View more