Splunk® Enterprise Security

Installation and Upgrade Manual

Acrobat logo Download manual as PDF

This documentation does not apply to the most recent version of ES. Click here for the latest version.
Acrobat logo Download topic as PDF


I want to convert real-time searches to scheduled searches. How do I do that?

Navigate to Configure > Correlation Searches, click on the search name and remove the "rt" from in front of the Start time and Finish time fields. Save the search.

How can I properly modify post-process search behavior?

Some summary index data and lookup table data in the Splunk App for Enterprise Security is generated using a custom post-processing mechanism, which permits multiple searches to be executed as a single alert action, reducing overall search load. Post-processing is controlled by "postprocess.conf" configuration file(s).

Generally we do not recommend that you edit these files without the involvement of Splunk Support. However, if you do find it necessary to edit a "postprocess.conf" file on the filesystem, a refresh of the postprocess REST endpoint is required to make the change take effect. This can be done one of two ways:

1. By issuing a refresh request using curl, wget, or the browser to one of the following URLs:


2. Issuing a Splunk restart using any method.

I just installed the new version of the Splunk App for Enterprise Security and some of the dashboard are blank. Why is that?

After you install the Splunk App for Enterprise Security 2.2, some dashboard behavior may change. New search summaries significantly improve search times, but take time to populate. The day of the upgrade, changes in the underlying searches will cause some dashboards to be blank until the new summaries begin to accumulate data.

Once the new summaries are populated, you can browse the new data in the dashboards. To browse older data, you need to construct searches using raw data or summary indexes.

The Security Posture dashboard and the various centers are expected to be affected by this behavior, while the Incident Review dashboard and form-based searches are not expected to be affected.

How can events appear in dashboards where they are not expected?

Some security appliances offer multiple types of functionality, beyond their primary use case. In these circumstances, the add-on can cause multiple dashboards to show events from the single device.

For example, Cisco IronPort WSA events will primarily be seen in Proxy Center, but they also have the ability to detect certain types of attacks that an IDS would. Any event with "x_webroot_threat_name" in it, is likely to appear in the Intrusion Center, even though the event was produced by a proxy device.

How can I improve search head performance on my UNIX system?

The search head that is hosting Enterprise Security on UNIX systems should should be configured for high performance. Check the ulimit setting in particular, as this can artificially limit the operating system's capacity.

Removing ess_analyst role from a status transition removes all roles. Why is that?

Enterprise Security iterates through inheritance relationships to determine capabilities or permissions for roles. Every role that inherits from ess_analyst will have its capabilities removed if you delete ess_analyst.

To avoid this, you must either work downward when assigning rights (admins, analysts, users) or you must remove ess_analyst's permission in one step and restore ess_admin's permission in another step.

See "Configure user roles" in this document for more information on user roles.

How do I monitor forwarders to ensure they are correctly sending data?

Enterprise Security includes a rule that will trigger whenever a forwarder quits submitting events. To do so, you need to add the forwarder to the asset list and indicate that events should be expected from the device. See Identity Manager in this manual for information about how to configure the asset list.

I've added a Splunk search head to Enterprise Security and I'm not seeing all the expected data. What happened?

Make sure that the right indexes are being reviewed. By default, only main index and operating system index are included in a distributed environment.

To make sure that the right indexes are being reviewed, navigate to Settings > Access Controls > Roles > Admin > Indexes Searched By Default. Search the indexes list to determine which indexes are being reviewed.

The Search Audit dashboard is not populating data correctly. What is going wrong?

A cause for this behavior could be using Enterprise Security as a "power" user instead of an "ess_user". See "Configure user roles" and "Configure search head pooling" in this document for more information.

Is there a limit on the number of results that can be displayed in a dashboard? Can I change this?

For panels that use the Splunk stats command to create the chart, the count is limited by default to 100K values (for example, Client Distribution by Product Versions panel on the Malware Operations dashboard).

You can change this limit by editing maxvalues in the [stats] stanza in Splunk's limits.conf file. See "limits.conf" in the Splunk documentation for details.

Last modified on 09 April, 2014
WorkflowMaker file
Troubleshoot your deployment

This documentation applies to the following versions of Splunk® Enterprise Security: 3.0, 3.0.1

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters