Splunk® Enterprise Security

Administer Splunk Enterprise Security

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Troubleshoot dashboards in Splunk Enterprise Security

Each dashboard in Enterprise Security references data from various data models. Without the relevant data, the dashboards will remain empty. If you expect data to appear, or if the data appearing is older than you expect, follow these troubleshooting steps.

  1. Perform a search against the data model. Click Open in Search in the lower left corner of a dashboard view to perform a direct search against the data model. The New Search dashboard also exposes the search commands and objects used to populate a particular view.
  2. If the search yields no results, determine if any data required for a dashboard is available in the data model.
    1. See the Dashboard requirements matrix in this manual to determine the data model datasets used by a dashboard.
    2. Use the data model and data model dataset to search for events in the data model.
      Action Search Expected Result
      Verify the data is normalized to the Common Information Model | datamodel data_model_name root_object_name search | table _time, sourcetype, root_object_name.*
      For example,

      | datamodel Network_Traffic All_Traffic search | dedup sourcetype | table _time, sourcetype, All_Traffic.*

      Returns a list of sourcetypes and the data model objects and fields populated by that sourcetype.
  3. If no data is available, confirm the data model is being accelerated.
    1. In Enterprise Security, browse to Audit > Data Model Audit.
    2. Review the Acceleration Details panel for information about the data model acceleration status, such as when the latest data model acceleration occurred, or whether it is 100% complete. See Configure data models for Splunk Enterprise Security in the Installation and Upgrade Manual.
  4. If the data model acceleration status is as expected, validate that additional required data sources are available. For example, the User Activity dashboard uses additional data sources.
    Dashboard Name Data type Data source
    User Activity Lookups The Cloud Domains, Corporate Email Domains, and Corporate Web Domains lookup files.
    Identities The Identity fields: bunit, email, watchlist, work_city, work_country, work_lat, and work_long. For more details, see Identity lookup fields in this manual.
    Correlation Searches * High Volume Email Activity with Non-corporate Domains
    * Watchlisted Event Observed
    * Web Uploads to Non-corporate Sites by Users
    Access Anomalies Correlation Searches * Impossible Travel Events Detected For Users
Last modified on 22 November, 2021
Dashboard requirements matrix for Splunk Enterprise Security   Troubleshoot missing notable events in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6, 5.0.0, 5.0.1, 5.1.0, 5.1.1, 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.3.0 Cloud only, 6.4.0, 6.4.1, 6.5.0 Cloud only, 6.5.1 Cloud only, 6.6.0, 6.6.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters