Splunk® InfoSec App

Administration Guide

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Troubleshoot the InfoSec app for Splunk

Following are some of the common installation and configuration issues for the Splunk Infosec app:

For more information on troubleshooting the InfoSec app, search Splunk Answers using the tag InfoSec App for Splunk.

Dashboards don't display any data

Problem

One or more dashboards aren't displaying any data.

Cause

The search that drives the dashboard is unable to locate the data within your Splunk platform environment.

Solutions

To check if the search that drives the dashboard is able to locate the data within your Splunk platform environment, click on the magnifying glass on the dashboard to examine the associated search string. The first line identifies the data model on which the dashboard is based. Revisit the configuration steps to ensure that the correct data is fed into the identified data model. For more information to validate data sources, see Validate data sources that feed the infoSec app for Splunk data models.

You can also simplify the search to determine which part of the search prevents the data from being displayed. Additionally, you can remove all but the first line of the search to check if any data is returned. You can also re-add the additional lines from the original search, one-by-one, to identify which component of the search prevents data from being returned as expected. Your data might not be fully Common Information Model (CIM) compliant and you might need to revisit the configuration.

Dashboard displays error message about missing visualization

Problem

Dashboard displays the following error message: "No matching visualization found for type: <type>, in app: <app_name>".

Cause

One of the supporting add-ons is not be installed or is disabled.

Solutions

  1. On the Splunk Enterprise toolbar, select Apps > Manage Apps and confirm that the missing supporting app or add-on is installed.
  2. Check that the supporting app or add-on is not disabled and that the permissions for the app or add-on is set to shared.

Dashboards display error message about missing data model

Problem

Dashboard displays the following error message:Data model was not found.

Cause

A specific data model is missing from the InfoSec app.

Solution

  1. On the Splunk Enterprise menu bar, select Configure > Settings > Data models.
  2. Find the data model and confirm that the permissions are set correctly.
  3. Confirm that the Common Information Model (CIM) app is correctly installed and that the app is enabled within the Settings menu.

InfoSec app is not visible in the Splunk App menu

Problem

The Splunk InfoSec app is installed but is not visible in the Splunk App menu.

Cause

The InfoSec app is disabled.

Solution

  1. On the Splunk Enterprise menu bar, go to the Manage Apps menu and check the settings for the InfoSec app. .
  2. Select the Edit Properties menu and enable the app
Last modified on 29 July, 2021
PREVIOUS
Extend the capabilities of the InfoSec app for Splunk 		 

This documentation applies to the following versions of Splunk® InfoSec App: 1.6.4, 1.7.0

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters