Dashboards & Visualizations

No Vulnerability Detection Data Appearing in Splunk Dashboard

ranafge
Loves-to-Learn

Hello Splunk Community,

I'm seeking help regarding an issue I’m facing.

The main problem is that vulnerability detection data is not showing up in my Splunk dashboard.
Wazuh is installed and running correctly, and other data appears to be coming through, but the vulnerability detection events are missing.

I've verified that:

  • Wazuh services are running properly without critical errors.

  • Vulnerability Detector is enabled in the Wazuh configuration (ossec.conf).

  • Wazuh agents are reporting other types of events successfully.

Despite this, no vulnerability data appears in the dashboard.

Could someone guide me on how to troubleshoot this?
Any advice on checking Wazuh modules, Splunk sourcetypes, indexes, or forwarder configurations would be highly appreciated.

Thank you in advance for your support!

Labels (1)
0 Karma

ranafge
Loves-to-Learn

Hi @livehybrid 
First of all, thanks for your response.
When I search using index="wazuh-alerts", I get lots of events.
For the search index="wazuh-alerts" "Medium", I get 7 events.

0 Karma

livehybrid
Super Champion

Hi @ranafge 

Do those 7 medium events look like the ones you would expect to see in the dashboards? Without seeing the data its hard for us to work out so please provide redacted samples if you can.

Is the data JSON structured? Does it have a field data -> vulnerability -> severity when looking at the event(s)?

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma

ranafge
Loves-to-Learn

Hi @livehybrid,

Thanks for your response.

Yes it is JSON structured data but there is not data like data -> vulnerability -> severity.

How can i send you root cause analysis data?

sample data :

{"timestamp":"2025-04-29T12:44:53.812+0600","rule":{"level":5,"description":"Systemd: Service exited due to a failure.","id":"40704","firedtimes":4,"mail":false,"groups":["local","systemd"],"gpg13":["4.3"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"debian-pc","ip":"192.168.11.XX"},"manager":{"name":"ubuntu"},"id":"1745909093.11585380","full_log":"Apr 29 06:44:53 proxmox systemd[1]: logstash.service: Main process exited, code=exited, status=1/FAILURE","predecoder":{"program_name":"systemd","timestamp":"Apr 29 06:44:53","hostname":"proxmox"},"decoder":{"name":"systemd"},"location":"journald"}

0 Karma

livehybrid
Super Champion

Hi @ranafge 

The first thing I would try here is opening some of the searches in the dashboards in Search (Click the little magnifying glass) and check for any errors. 

If still no results then you can try removing various parts of the search to see if there is a particular line which is causing the issue, if this happens let us know the specifics and we can work out what the issue is.

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma

ranafge
Loves-to-Learn

First of all thanks for your reply.

I ran the following search in Splunk:

index="wazuh-alerts" "data.vulnerability.severity"="Medium" | stats count

I also tested for other severity levels like "High" and "Low," but the result was always 0.

This indicates that no vulnerability detection events are being indexed in Splunk.
Even though other types of data are coming through, there are currently no events where data.vulnerability.severity is populated with "High," "Medium," or "Low."

It suggests that either:

  • Vulnerability Detector is not generating results,

  • The events are not being forwarded to Splunk properly,

  • Or the events are being indexed but under a different sourcetype, index, or field structure.

    Would appreciate any guidance on how to dig deeper into this!

0 Karma

livehybrid
Super Champion

Hi @ranafge 

Okay, this is progress in terms of diagnosing.

So - you see events if you search index="wazuh-alerts"  ?

If you search index="wazuh-alerts"  "Medium" - do you get any result then? Im trying to determine if its a field extraction issue or if the data is actually missing. 

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma

ranafge
Loves-to-Learn

Hi @livehybrid 
First of all, thanks for your response.
When I search using index="wazuh-alerts", I get lots of events.
For the search index="wazuh-alerts" "Medium", I get 7 events.

0 Karma
Get Updates on the Splunk Community!

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...

Splunk App Dev Community Updates – What’s New and What’s Next

Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...