Splunk® Enterprise Security

Troubleshoot Splunk Enterprise Security

Troubleshoot common issues when using Federated Analytics with Splunk Enterprise Security

Issue

ESCU detections do not gather data from the correct federated indexes.

Cause

All federated indexes are not added to the amazon_security_lake search macro.

Solution

In Splunk Enterprise Security, go to Search and expand the amazon_security_lake macro to verify if all pertinent indexes are available and edit the macro to include any missing indexes. Alternatively, in Splunk Enterprise Security, go to Settings and select Advanced search and then select Search macro to edit the amazon_security_lake macro and add any missing indexes.

See also

For more information on configuring Federated Analytics on Splunk Platform, see the product documentation:

Last modified on 13 November, 2024
Troubleshoot pairing Splunk Enterprise Security with Splunk SOAR  

This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters