Good morning,
I've been using the Corelight's Splunk application for several days now with only one sensor and everything works fine except for the "Data Exploration/Connections" view. It never shows me any results, it always shows "No results found". I have been debugging the searches with the option "inspect" and it is correct: none of those searches can return results.
An example: for Top Services view, Corelight's app performs the following search:
search (NOT sensor_name!="*" id_orig_h="*" id_orig_p="*" id_resp_h="*" id_resp_p="*" NOT is_broadcast="true" service="*" (eventtype=bro_conn OR eventtype=corelight_conn)) | top service limit=15
and without result. But If I use the following search in Splunk's general view:
search (NOT is_broadcast="true" (eventtype=corelight_conn)) | top service limit=15
I get results as you can see in the screenshot attached.
Am I doing something wrong or is it a bug?
Many thaks
Regards,
C. L. Martinez
