Message "search produced no results" appears in Splunk UI on "App: symantec ATP App for Splunk"
search cancel

Message "search produced no results" appears in Splunk UI on "App: symantec ATP App for Splunk"


Article ID: 176240


Updated On:


Endpoint Detection and Response Advanced Threat Protection Platform


After installing the Symantec Add-On for Splunk, the Dashboard appears to show "search produced no results"

+ Symptom: In ATP UI, Splunk connector status is 'Critical'
data is not coming for incident data source
+ Symptom: In Splunk Enterprise UI, on "App: symantec ATP App for Splunk", on the Incident Report tab, below Host: All, the message "search produced no results" appears


+ Symantec ATP Add-on for Splunk v1.0.7-8


   At splunk search, index=_internal log_level=ERROR earliest="%m/%d/%Y:%H:%M:%S" latest="%m/%d/%Y:%H:%M:%S"

      example : from November 12th to 15th at 8pm

                index=_internal log_level=ERROR earliest="12/11/2012:20:00:00" latest="15/11/2012:20:00:00"

      see :

   If there are fewer than 10,000 lines to export, then click "Actions>Export Results..." from the Search or Charting views, after a search has finished running.

   If you cannot find Actions>Export Results... in the Splunk UI, add "| outputcsv output.csv" to your search.

   After the query runs, you should be able to find file output.csv in $SPLUNK_HOME/ var/run/splunk/csv

* Application setup logs are written in $SPLUNK_HOME/var/log/TA-symantec_atp/local/logs/ta_symantec_setup.log

* ATP Manager API logs are written at $SPLUNK_HOME/var/log/TA-symantec_atp/local/logs/ta_symantec_atp_manager_api.log

* Email API logs are written at $SPLUNK_HOME/var/log/TA-symantec_atp/local/logs/ta_symantec_email_security_cloud_api.log

  For packing up logs: tar cjfv /tmp/SplunkAddOnLogs.tar.bz2 $SPLUNK_HOME/var/log/TA-symantec_atp/local/logs/*


If logs contain the error "invalid key in stanza" multiple times, collect output from "splunk btool check --debug"


On the SEDR side, is Splunk connector status still Critical? Matching logs would be in

atp-splunk_connector.log again, which can either be displayed in support CLI or collected as part of a SEDR diagnostic