Troubleshoot common issues when using Federated Analytics with Splunk Enterprise Security
Issue
ESCU detections do not gather data from the correct federated indexes.
Cause
All federated indexes are not added to the amazon_security_lake search macro.
Solution
In Splunk Enterprise Security, go to Search and expand the amazon_security_lake
macro to verify if all pertinent indexes are available and edit the macro to include any missing indexes.
Alternatively, in Splunk Enterprise Security, go to Settings and select Advanced search and then select Search macro to edit the amazon_security_lake
macro and add any missing indexes.
See also
For more information on configuring Federated Analytics on Splunk Platform, see the product documentation:
Troubleshoot pairing Splunk Enterprise Security with Splunk SOAR |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1
Feedback submitted, thanks!