FAQ
Why are the scorecards not active if notable events exist?
If correlation searches are working and creating notable events, but the notable events do not appear on scorecards in the Splunk App for PCI Compliance, check two things.
Potential cause: Notable events could be suppressed by a suppression rule.
- Open the Notable Event Suppression Audit page to determine if suppressions are preventing notable events from appearing.
- You can also compare the results from these two searches.
`notable`
`notable` | search NOT `suppression`
Potential resolution: Review any suppression rules that exist to confirm that they are accurate and should be enabled or disabled.
Potential cause: For custom correlation searches, notable events could exist but not be linked to a governance and control value in governance.conf
.
- Compare the results from these two searches.
`notable`
`notable` | search (`get_governance(pci)`)
Potential resolution: Link the correlation searches to governance.conf
entries. See Configure correlation searches.
Cisco add-ons
You can install various Splunk Add-on for Cisco products on the search head with the Splunk App for PCI Compliance and partially disable them to prevent load.
- To disable the searches, go to Settings > Searches and Reports, select the app name and disable all searches.
- To disable their dashboards, go to Settings > User Interface > Views, select the app name and disable all views.
This applies to these add-ons:
Troubleshoot your deployment |
This documentation applies to the following versions of Splunk® App for PCI Compliance: 5.0.1, 5.0.2, 5.1.0, 5.1.1, 5.1.2, 5.2.0, 5.3.0, 5.3.1, 5.3.2
Feedback submitted, thanks!