Dashboards & Visualizations

No Vulnerability Detection Data Appearing in Splunk Dashboard

ranafge
Loves-to-Learn Lots

Hello Splunk Community,

I'm seeking help regarding an issue I’m facing.

The main problem is that vulnerability detection data is not showing up in my Splunk dashboard.
Wazuh is installed and running correctly, and other data appears to be coming through, but the vulnerability detection events are missing.

I've verified that:

  • Wazuh services are running properly without critical errors.

  • Vulnerability Detector is enabled in the Wazuh configuration (ossec.conf).

  • Wazuh agents are reporting other types of events successfully.

Despite this, no vulnerability data appears in the dashboard.

Could someone guide me on how to troubleshoot this?
Any advice on checking Wazuh modules, Splunk sourcetypes, indexes, or forwarder configurations would be highly appreciated.

Thank you in advance for your support!

Labels (1)
0 Karma

ranafge
Loves-to-Learn Lots

Hi @livehybrid 
First of all, thanks for your response.
When I search using index="wazuh-alerts", I get lots of events.
For the search index="wazuh-alerts" "Medium", I get 7 events.

0 Karma

livehybrid
Super Champion

Hi @ranafge 

Do those 7 medium events look like the ones you would expect to see in the dashboards? Without seeing the data its hard for us to work out so please provide redacted samples if you can.

Is the data JSON structured? Does it have a field data -> vulnerability -> severity when looking at the event(s)?

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma

ranafge
Loves-to-Learn Lots

Hi @livehybrid,

Thanks for your response.

Yes it is JSON structured data but there is not data like data -> vulnerability -> severity.

How can i send you root cause analysis data?

sample data :

{"timestamp":"2025-04-29T12:44:53.812+0600","rule":{"level":5,"description":"Systemd: Service exited due to a failure.","id":"40704","firedtimes":4,"mail":false,"groups":["local","systemd"],"gpg13":["4.3"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"debian-pc","ip":"192.168.11.XX"},"manager":{"name":"ubuntu"},"id":"1745909093.11585380","full_log":"Apr 29 06:44:53 proxmox systemd[1]: logstash.service: Main process exited, code=exited, status=1/FAILURE","predecoder":{"program_name":"systemd","timestamp":"Apr 29 06:44:53","hostname":"proxmox"},"decoder":{"name":"systemd"},"location":"journald"}

0 Karma

livehybrid
Super Champion

Hi @ranafge 

The first thing I would try here is opening some of the searches in the dashboards in Search (Click the little magnifying glass) and check for any errors. 

If still no results then you can try removing various parts of the search to see if there is a particular line which is causing the issue, if this happens let us know the specifics and we can work out what the issue is.

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma

ranafge
Loves-to-Learn Lots

First of all thanks for your reply.

I ran the following search in Splunk:

index="wazuh-alerts" "data.vulnerability.severity"="Medium" | stats count

I also tested for other severity levels like "High" and "Low," but the result was always 0.

This indicates that no vulnerability detection events are being indexed in Splunk.
Even though other types of data are coming through, there are currently no events where data.vulnerability.severity is populated with "High," "Medium," or "Low."

It suggests that either:

  • Vulnerability Detector is not generating results,

  • The events are not being forwarded to Splunk properly,

  • Or the events are being indexed but under a different sourcetype, index, or field structure.

    Would appreciate any guidance on how to dig deeper into this!

0 Karma

livehybrid
Super Champion

Hi @ranafge 

Okay, this is progress in terms of diagnosing.

So - you see events if you search index="wazuh-alerts"  ?

If you search index="wazuh-alerts"  "Medium" - do you get any result then? Im trying to determine if its a field extraction issue or if the data is actually missing. 

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma

ranafge
Loves-to-Learn Lots

Hi @livehybrid 
First of all, thanks for your response.
When I search using index="wazuh-alerts", I get lots of events.
For the search index="wazuh-alerts" "Medium", I get 7 events.

0 Karma
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...