Troubleshoot missing contributing events for findings in Splunk Enterprise Security
Issue
Contributing events for some findings might be missing.
Cause
Some detections detect a lack of something. For example, the "Endpoint - Should Timesync Host Not Syncing - Rule" detects a lack of successful time synchronization events for a particular host. Another example is the "Audit - Expected Host Not Reporting - Rule" that detects a lack of data from a host.
When findings are created for these hosts, it is possible that "No results found" is displayed for contributing events.
Solution
You can use the time range picker to expand the time range for identifying when the lack of events occurred, but it's possible that "No results found" will persist because the host never did the thing it was supposed to do.
Troubleshoot search results in Splunk Enterprise Security | Troubleshoot new users not displaying in the analyst queue |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1
Feedback submitted, thanks!