Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- No Vulnerability Detection Data Appearing in Splun...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No Vulnerability Detection Data Appearing in Splunk Dashboard
Hello Splunk Community,
I'm seeking help regarding an issue I’m facing.
The main problem is that vulnerability detection data is not showing up in my Splunk dashboard.
Wazuh is installed and running correctly, and other data appears to be coming through, but the vulnerability detection events are missing.
I've verified that:
Wazuh services are running properly without critical errors.
Vulnerability Detector is enabled in the Wazuh configuration (ossec.conf).
Wazuh agents are reporting other types of events successfully.
Despite this, no vulnerability data appears in the dashboard.
Could someone guide me on how to troubleshoot this?
Any advice on checking Wazuh modules, Splunk sourcetypes, indexes, or forwarder configurations would be highly appreciated.
Thank you in advance for your support!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @livehybrid
First of all, thanks for your response.
When I search using index="wazuh-alerts", I get lots of events.
For the search index="wazuh-alerts" "Medium", I get 7 events.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @ranafge
Do those 7 medium events look like the ones you would expect to see in the dashboards? Without seeing the data its hard for us to work out so please provide redacted samples if you can.
Is the data JSON structured? Does it have a field data -> vulnerability -> severity when looking at the event(s)?
🌟 Did this answer help you? If so, please consider:
- Adding karma to show it was useful
- Marking it as the solution if it resolved your issue
- Commenting if you need any clarification
Your feedback encourages the volunteers in this community to continue contributing
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @livehybrid,
Thanks for your response.
Yes it is JSON structured data but there is not data like data -> vulnerability -> severity.
How can i send you root cause analysis data?
sample data :
{"timestamp":"2025-04-29T12:44:53.812+0600","rule":{"level":5,"description":"Systemd: Service exited due to a failure.","id":"40704","firedtimes":4,"mail":false,"groups":["local","systemd"],"gpg13":["4.3"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"debian-pc","ip":"192.168.11.XX"},"manager":{"name":"ubuntu"},"id":"1745909093.11585380","full_log":"Apr 29 06:44:53 proxmox systemd[1]: logstash.service: Main process exited, code=exited, status=1/FAILURE","predecoder":{"program_name":"systemd","timestamp":"Apr 29 06:44:53","hostname":"proxmox"},"decoder":{"name":"systemd"},"location":"journald"}
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @ranafge
The first thing I would try here is opening some of the searches in the dashboards in Search (Click the little magnifying glass) and check for any errors.
If still no results then you can try removing various parts of the search to see if there is a particular line which is causing the issue, if this happens let us know the specifics and we can work out what the issue is.
🌟 Did this answer help you? If so, please consider:
- Adding karma to show it was useful
- Marking it as the solution if it resolved your issue
- Commenting if you need any clarification
Your feedback encourages the volunteers in this community to continue contributing
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First of all thanks for your reply.
I ran the following search in Splunk:
I also tested for other severity levels like "High" and "Low," but the result was always 0.
This indicates that no vulnerability detection events are being indexed in Splunk.
Even though other types of data are coming through, there are currently no events where data.vulnerability.severity is populated with "High," "Medium," or "Low."
It suggests that either:
Vulnerability Detector is not generating results,
The events are not being forwarded to Splunk properly,
Or the events are being indexed but under a different sourcetype, index, or field structure.
Would appreciate any guidance on how to dig deeper into this!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @ranafge
Okay, this is progress in terms of diagnosing.
So - you see events if you search index="wazuh-alerts" ?
If you search index="wazuh-alerts" "Medium" - do you get any result then? Im trying to determine if its a field extraction issue or if the data is actually missing.
🌟 Did this answer help you? If so, please consider:
- Adding karma to show it was useful
- Marking it as the solution if it resolved your issue
- Commenting if you need any clarification
Your feedback encourages the volunteers in this community to continue contributing
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @livehybrid
First of all, thanks for your response.
When I search using index="wazuh-alerts", I get lots of events.
For the search index="wazuh-alerts" "Medium", I get 7 events.
Splunk Answers Content Calendar, July Edition I
Secure Your Future: Mastering Upgrade Readiness for Splunk 10
Observability Unlocked: Kubernetes & Cloud Monitoring with Splunk IM
