guilhemmarchand
commented
1 month ago Hi @bdcrandall
Hum right, indeed, something doesn't right in your deployment.
I would suggest the following steps:
-
We recommend to dedicate a Virtual Tenant for splk-dhm (for endpoint tracking in general), this would allow to mor easily manage different aspects of the features, such as disabling ML Outliers (see this staring tutorial: https://docs.trackme-solutions.com/latest/white_paper_starting_with_trackme.html#white-paper-starting-with-trackme, If know you are used to TrackMe already, but this shows the best practices)
-
Therefore, I would recommend that you remove the splk-dhm component from this tenant (from Virtual Tenant, Manage components, remove splk-dhm)
-
Also, if you do not use it, I would recommend splk-mhm. (by default we disable it since a good number of releases) - you can follow the step as above
-
Then I would recommend that you create a new Virtual Tenant (say "endpoints"), with splk-dhm only
-
We recommend to disable ML outliers for splk-dhm, from 2.0.98 it will be disabled by default when creating a new tenant where only splk-dhm is enabled - to disable it, like in the doc I shared, you can simply toggle off the dropdown when creating the tenant
-
Once you have created your new Virtual Tenant, then create your tracker(s), please start small and ensure that you restrict carefully to useful indexes in your hybrid tracker scope
If you could follow these recommendations and revert here, then I would be happy to meet you and review your deployment issues together. (you can contact us at: support@trackme-solutions.com)
We will also attempt to reproduce.
Guilhem
Describe the bug SPLK-DHM - Event Endpoints Tracking dashboard is blank. In addition, at least one data source isn't getting tracked in SPLK-DSM - DATA SOURCES TRACKING.
TrackMe version 2.0.97
To Reproduce Steps to reproduce the behavior:
This is a behavior that has started recently and I am not sure how to reproduce it. It would probably take a screen share to figure out what is going on.
Expected behavior SPLK-DHM should work! Also, the TrackMe metrics and Splunk query for a data source should agree!
Screenshots
Splunk version and deployment: Stand alone search head in Splunk Cloud Version: 9.1.2308.207 Build: d9f7331c3888
Additional context The health tracker and outlier tracker searches seem to have very long runtimes. I've included a screenshot of those from the monitoring console dashboard as well for reference. Not sure if it is related to the over all issue.