Troubleshoot dashboards in Splunk Enterprise Security
Each dashboard in Enterprise Security references data from various data models. Without the relevant data, the dashboards will remain empty. If you expect data to appear, or if the data appearing is older than you expect, follow these troubleshooting steps.
- Perform a search against the data model. Click Open in Search in the lower left corner of a dashboard view to perform a direct search against the data model. The New Search dashboard also exposes the search commands and objects used to populate a particular view.
- If the search yields no results, determine if any data required for a dashboard is available in the data model.
- See the Dashboard requirements matrix in this manual to determine the data model datasets used by a dashboard.
- Use the data model and data model dataset to search for events in the data model.
Action Search Expected Result Verify the data is normalized to the Common Information Model | datamodel data_model_name root_object_name search | table _time, sourcetype, root_object_name.*
For example,| datamodel Network_Traffic All_Traffic search | dedup sourcetype | table _time, sourcetype, All_Traffic.*
Returns a list of sourcetypes and the data model objects and fields populated by that sourcetype.
- If no data is available, confirm the data model is being accelerated.
- In Enterprise Security, browse to Audit > Data Model Audit.
- Review the Acceleration Details panel for information about the data model acceleration status, such as when the latest data model acceleration occurred, or whether it is 100% complete. See Configure data models for Splunk Enterprise Security in the Installation and Upgrade Manual.
- If the data model acceleration status is as expected, validate that additional required data sources are available. For example, the User Activity dashboard uses additional data sources.
Dashboard Name Data type Data source User Activity Lookups The Cloud Domains, Corporate Email Domains, and Corporate Web Domains lookup files. Identities The Identity fields: bunit
,email
,watchlist
,work_city
,work_country
,work_lat
, andwork_long
. For more details, see Identity lookup fields in this manual.Correlation Searches * High Volume Email Activity with Non-corporate Domains
* Watchlisted Event Observed
* Web Uploads to Non-corporate Sites by Users
Access Anomalies Correlation Searches * Impossible Travel Events Detected For Users
Dashboard requirements matrix for Splunk Enterprise Security | Troubleshoot missing notable events in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6, 5.0.0, 5.0.1, 5.1.0, 5.1.1, 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.3.0 Cloud only, 6.4.0, 6.4.1, 6.5.0 Cloud only, 6.5.1 Cloud only, 6.6.0, 6.6.2
Feedback submitted, thanks!