Hi,
I have installed Cisco AMP app on our indexer and i can see AMP events coming in. But, I can't see any malware information in the Splunk Enterprise Security (Security Domains > Endpoint Protection > Malware Center). ESS is installed on the search head and AMP index can be accessible from search head.
is there anything else to be configured in the search head in order to see information in the malware center?
Thank you in advance.
First check if the add-on is being imported by ES:
http://docs.splunk.com/Documentation/ES/5.2.0/Install/ImportCustomApps
Then, check if the add-on contains data that is mapped to the CIM data models used to populate that dashboard panel. Check to see which parts of the data model need to have data in them to appear on that dashboard panel:
http://docs.splunk.com/Documentation/ES/5.1.0/Admin/Dashboardrequirements
And then check the data model to see if it has data:
http://docs.splunk.com/Documentation/CIM/4.12.0/User/UsetheCIMtonormalizedataatsearchtime#6._Validat...
First check if the add-on is being imported by ES:
http://docs.splunk.com/Documentation/ES/5.2.0/Install/ImportCustomApps
Then, check if the add-on contains data that is mapped to the CIM data models used to populate that dashboard panel. Check to see which parts of the data model need to have data in them to appear on that dashboard panel:
http://docs.splunk.com/Documentation/ES/5.1.0/Admin/Dashboardrequirements
And then check the data model to see if it has data:
http://docs.splunk.com/Documentation/CIM/4.12.0/User/UsetheCIMtonormalizedataatsearchtime#6._Validat...
Is the app being imported by Splunk Enterprise Security? http://docs.splunk.com/Documentation/ES/5.2.0/Install/ImportCustomApps
hi smoir,
i have managed to get the data to splunk enterprise security after go though all the links. thank you very much for your help
Awesome! I summarized my comments for you as an answer 🙂
Hi Smoir,
Thank you for replying.
no its not. the app is not using "TA-" naming convention when i uploaded to the search head. its using "amp4e_events_input" as its folder name in $SPLUNKHOME\etc\apps
i will follow this document and import the app as instructed. i will keep you posted.
Hi Smoir
I have imported the cisco amp app to ES but still i cant see any data.
Does the add-on contain data that is mapped to the CIM data models used to populate that dashboard panel? You can check here:
http://docs.splunk.com/Documentation/ES/5.1.0/Admin/Dashboardrequirements
to see which parts of the data model need to have data in them to appear on that dashboard panel
and also here:
http://docs.splunk.com/Documentation/CIM/4.12.0/User/UsetheCIMtonormalizedataatsearchtime#6._Validat...
to learn more about how to check the data model