Splunk® Enterprise Security

Troubleshoot Splunk Enterprise Security

Troubleshoot missing contributing events for findings in Splunk Enterprise Security

Issue

Contributing events for some findings might be missing.

Cause

Some detections detect a lack of something. For example, the "Endpoint - Should Timesync Host Not Syncing - Rule" detects a lack of successful time synchronization events for a particular host. Another example is the "Audit - Expected Host Not Reporting - Rule" that detects a lack of data from a host.

When findings are created for these hosts, it is possible that "No results found" is displayed for contributing events.

Solution

You can use the time range picker to expand the time range for identifying when the lack of events occurred, but it's possible that "No results found" will persist because the host never did the thing it was supposed to do.

Last modified on 11 July, 2024
Troubleshoot search results in Splunk Enterprise Security   Troubleshoot new users not displaying in the analyst queue

This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters