Troubleshoot Splunk Security Essentials

Use the following sections to troubleshoot potential issues with Splunk Security Essentials.

You are seeing outdated content in Splunk Security Essentials

You are seeing outdated content on the dashboards in Splunk Security Essentials, even after you upgraded to a new version.

The cache was not refreshed.

Force an update of Splunk Security Essentials.

From Splunk Security Essentials, select Configuration.
Select Update Content then Force Update.
After the new content finishes downloading, the Configuration button turns green.
Select Configuration to refresh the page.

Content in the Analytics Advisor dashboard does not appear in the Active category in the MITRE ATT&CK Matrix view.

No content matches the criteria for it to be marked as active.

Check that the content you want to appear as Active matches the following criteria.

Setting to review	How to fix	More information
Check that the content is marked as Enabled.	If the content isn't marked as Enabled, set the bookmark status to Successfully Implemented.	See Track your content with the Manage Bookmarks dashboard.
Check that the content is linked to a data source that is marked as Good. You can find this information on the Security Content page.	If the content isn't linked to a data source marked as Good, use the data inventory dashboard to mark the data source as Good. If you want to use a general-purpose data source that is always marked as Good, use the Any logs in Splunk option in the Vendor category.	See Configure the products you have in your environment with the Data Inventory dashboard.