You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Dashboard is mostly working as expected, seeing Audit Events and Event Code Analysis data. but no data displayed in Policy Review
###**Screen Shot
Expected behavior
Expect to see logged events in the Policy Review section, but only seeing "no search results returned"
App Version:
DA-ESS-ContentUpdate: 4.33.0
Additional context
Have a single windows server collecting forwarded Applocker events from multiple endpoints and writing them to the "Forwarded Events" log on the server acting as the Windows Event Collector.
Splunk UF on the server has the following inputs.conf:
@matchstickboy - Are you able to run the searches from the dashboard manually ? I wonder if you dont have any events specific to show in your environment. Is this a live splunk environment or a splunk lab with applocker data? The dashboard works fine in our test environment!
Describe the bug
Dashboard is mostly working as expected, seeing Audit Events and Event Code Analysis data. but no data displayed in Policy Review
###**Screen Shot
Expected behavior
Expect to see logged events in the Policy Review section, but only seeing "no search results returned"
App Version:
Additional context
Have a single windows server collecting forwarded Applocker events from multiple endpoints and writing them to the "Forwarded Events" log on the server acting as the Windows Event Collector.
Splunk UF on the server has the following inputs.conf:
[WinEventLog://ForwardedEvents]
disabled =0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
index = applocker
renderXml = 1
The applocker SearchMacro has definition has been set to:
index=applocker
The text was updated successfully, but these errors were encountered: