Troubleshoot the InfoSec app for Splunk
Following are some of the common installation and configuration issues for the Splunk Infosec app:
For more information on troubleshooting the InfoSec app, search Splunk Answers using the tag InfoSec App for Splunk.
Dashboards don't display any data
Problem
One or more dashboards aren't displaying any data.
Cause
The search that drives the dashboard is unable to locate the data within your Splunk platform environment.
Solutions
To check if the search that drives the dashboard is able to locate the data within your Splunk platform environment, click on the magnifying glass on the dashboard to examine the associated search string. The first line identifies the data model on which the dashboard is based. Revisit the configuration steps to ensure that the correct data is fed into the identified data model. For more information to validate data sources, see Validate data sources that feed the infoSec app for Splunk data models.
You can also simplify the search to determine which part of the search prevents the data from being displayed. Additionally, you can remove all but the first line of the search to check if any data is returned. You can also re-add the additional lines from the original search, one-by-one, to identify which component of the search prevents data from being returned as expected. Your data might not be fully Common Information Model (CIM) compliant and you might need to revisit the configuration.
Dashboard displays error message about missing visualization
Problem
Dashboard displays the following error message: "No matching visualization found for type: <type>, in app: <app_name>".
Cause
One of the supporting add-ons is not be installed or is disabled.
Solutions
- On the Splunk Enterprise toolbar, select Apps > Manage Apps and confirm that the missing supporting app or add-on is installed.
- Check that the supporting app or add-on is not disabled and that the permissions for the app or add-on is set to shared.
Dashboards display error message about missing data model
Problem
Dashboard displays the following error message:Data model was not found
.
Cause
A specific data model is missing from the InfoSec app.
Solution
- On the Splunk Enterprise menu bar, select Configure > Settings > Data models.
- Find the data model and confirm that the permissions are set correctly.
- Confirm that the Common Information Model (CIM) app is correctly installed and that the app is enabled within the Settings menu.
Problem
The Splunk InfoSec app is installed but is not visible in the Splunk App menu.
Cause
The InfoSec app is disabled.
Solution
- On the Splunk Enterprise menu bar, go to the Manage Apps menu and check the settings for the InfoSec app. .
- Select the Edit Properties menu and enable the app
Extend the capabilities of the InfoSec app for Splunk |
This documentation applies to the following versions of Splunk® InfoSec App: 1.6.4, 1.7.0
Feedback submitted, thanks!