Splunk shows critical in Advance Threat Protection (ATP) User Interface (UI).

Article Id: 170831
Status: Published
Updated On: 25-09-2019 15:51
Legacy Id: TECH248767
Products:
Advanced Threat Protection Platform
Issue/Introduction:

ATP UI shows a Red Critical on the Splunk connector.

Resolution:

This is issue has been fixed in ATP 3.1.0 build, please upgrade to ATP 3.1.0 or later.

 

Workaround:

  1. Log into the ATP UI and click on the Settings-> Data Sharing-> .
  2. Uncheck the "Enable" for the "Splunk Event Forwarding".
  3. Edit the Splunk Event Forwarding.
  4. Expand the "Show Filters" and edit the "Event Forwarded From" date to the day before.
  5. Save the setting and Check the Enable box to activate the Splunk connection.
  6. You should get a Healthy Green status.
  7. Monitor for week to make sure that the Splunk server is receiving data.