Hi,
When I search all indexed data against "Intrusion Detection" data model from Search & reporting app's context, Splunk can correctly identify data from Imperva and eStreamer both, based on the tags ids, attack.
![alt text][1]
But when I run the exact same search from context of Enterprise Security, only data from Imperva is returned. It does not see eStreamer data.
![alt text][2]
I have verified that under CIM Setup for "Intrusion Detection" data model, there are no restrictions on which indexes it can search.
Also, knowledge objects which are normalizing eStreamer data do have global permissions.
What else could we be missing?
Many Thanks,
~ Abhi
[1]: /storage/temp/183202-datamodel-ids-searchreporting.jpg
[2]: /storage/temp/183203-datamodel-ids-es.jpg
↧