Troubleshooting

If data is not populating in the dashboards, try the following solutions to resolve the issue:

• The Centrify Add-On for Splunk should not be modified on the Universal Forwarder. Specifically, the source type should not be modified. Data should flow from either the WinEventLog:Application or syslog.

• The Centrify Add-On for Splunk should be installed on Indexers as it performs index time extraction and indexing data in respective source types. Data from the WinEventLog:Application source type will be indexed in the centrify_css_winlog and the syslog source type data will be indexed in the centrify_css_syslog source type.

• If a new index has been created, it should be updated in the default index list in the user Roles shown in following location:

  Settings > Access Controls > Roles > (Click on particular role) > Indexes Searched by default.