Notifications

11 views

Description

During the configuration of a Splunk Event Profile while in the mapping section, the "Fetch Sample Data" button does not bring any data for the selected alert.

The ECC_QUEUE shows both the REST request to Splunk and a response received as well. However,  no data is shown in the Alert Sample ingestion section of the event profile.

Release or Environment

Madrid release Patch 7a.

Splunk Enterprise Event Ingestion for Security Operations, version 5.1.0.

Cause

The "Fetch Sample Data" action will not bring any data if, for the alert type selected in the Event Profile configuration, there is no a recent alert of the same type fired on the Splunk side.

Resolution


Verify that there are recent alerts fired on the Splunk side for the Alert type selected in your configuration.  The "Fetch Data" action will only bring recent sample data.

Once you have sample data returned, then you can complete the Splunk Event Profile configuration.

Article Information

Last Updated:2019-11-25 09:59:12
Published:2019-11-25