If data is not populating in the dashboards, try the following solutions to resolve the issue:
-
The Centrify Add-On for Splunk should not be modified on the Universal Forwarder. Specifically, the source type should not be modified. Data should flow from either the
WinEventLog:Applicationorsyslog. -
The Centrify Add-On for Splunk should be installed on Indexers as it performs index time extraction and indexing data in respective source types. Data from the WinEventLog:Application source type will be indexed in the
centrify_css_winlogand thesyslogsource type data will be indexed in thecentrify_css_syslogsource type. -
If a new index has been created, it should be updated in the default index list in the user Roles shown in following location:
Settings > Access Controls > Roles > (Click on particular role) > Indexes Searched by default.
Doc Feedback