Troubleshoot threat data reporting
If data does not populate in the report dashboard, do the following:
- If your organization uses a distributedSplunkenvironment, verify that threat data report consumption is configured on a heavy forwarder that is running theCylancePROTECTApplication forSplunk(not just the technology add-on) and that theSplunkenvironment is running on version 7.2 or later.
- Verify that the latest version of the application is installed on theSplunksearch head and that the matching version of the technology add-on is installed on the indexers.
- Confirm that the index name is eithercylance_protectorprotectto match the inputs.conf file.
- Confirm that the eventtypes.conf file, which populates the dashboards, has not been altered.
- Verify that the macrocylance_index, which searches forCylancedata, has not been altered.
- On theSplunkhomepage, on the vertical menu bar, clickSearch & Reporting. Set the time preset toAll Time (real-time), then search for theeventtype=cylance_index sourcetype=syslog*command.From the command line, check the cylance_protect/local directory for the presence of CSV and SHA files (for example,or<TenantName>-event.csv).<TenantName>-indicators.sha
Actions to resolve
The CSV and SHA files are present.
The CSV and SHA files are not present.