Threat Hunting is empty
16 views
Skip to first unread message
mariano hinjos
Jan 21, 2026, 7:07:02 AM (yesterday) Jan 21
to Wazuh | Mailing List
Hi
When I set it to 24 hours, I see absolutely nothing, and when I set it to 30 days, some days appear fine and others are blank. I have checked that events are coming in, but I don't see any.
Any ideas?
Any ideas?
v4.14.1 all index in green, no errors in ossec.log
Dennis Ariel Gamboa Veliz
Jan 21, 2026, 7:34:09 AM (yesterday) Jan 21
to Wazuh | Mailing List
Hi mariano,
In Wazuh Threat Hunting, not all incoming events are shown. It displays only data from generated alerts (i.e., documents indexed in wazuh-alerts-* that have triggered rules). Even if your manager is receiving events and the indices are green, if those events do not trigger any alerts (rule.level > 0), Threat Hunting will appear empty.
This is expected behavior: Threat Hunting is designed to help you explore alert data, not to act as a generic event viewer. If events don’t match rule conditions or are indexed without the fields Threat Hunting expects, they won’t appear in that view. That’s also why selecting 24 h shows nothing, while a broader range shows some days with data. It depends on when alerts were actually generated and indexed.
More information in the official documentation: https://documentation.wazuh.com/current/getting-started/use-cases/threat-hunting.html
Regards,
Dennis Gamboa
In Wazuh Threat Hunting, not all incoming events are shown. It displays only data from generated alerts (i.e., documents indexed in wazuh-alerts-* that have triggered rules). Even if your manager is receiving events and the indices are green, if those events do not trigger any alerts (rule.level > 0), Threat Hunting will appear empty.
This is expected behavior: Threat Hunting is designed to help you explore alert data, not to act as a generic event viewer. If events don’t match rule conditions or are indexed without the fields Threat Hunting expects, they won’t appear in that view. That’s also why selecting 24 h shows nothing, while a broader range shows some days with data. It depends on when alerts were actually generated and indexed.
More information in the official documentation: https://documentation.wazuh.com/current/getting-started/use-cases/threat-hunting.html
Regards,
Dennis Gamboa
mariano hinjos
Jan 21, 2026, 9:21:50 AM (yesterday) Jan 21
to Wazuh | Mailing List
Thank you for your reply, but that is not the problem. I have configured level 3 and I know that those types of events are coming in. I have also just seen that it is not generating the corresponding index, for example, for today.
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 10620 100 10620 0 0 144k 0 --:--:-- --:--:-- --:--:-- 144k
wazuh-alerts-4.x-2026.01.03 1413933
wazuh-alerts-4.x-2026.01.02 1555317
wazuh-alerts-4.x-2026.01.01 1414195
Dennis Ariel Gamboa Veliz
6:27 AM (3 hours ago) 6:27 AM
to Wazuh | Mailing List
Hi mariano,
This is expected behavior. Wazuh creates daily alert indices (wazuh-alerts-4.x-YYYY.MM.DD) only when alerts are generated and indexed. If no alerts are produced on a given day, the daily index is not created.
Since Threat Hunting queries only alert indices, no index for today means no alerts indexed yet, so the view appears empty.
This is expected behavior. Wazuh creates daily alert indices (wazuh-alerts-4.x-YYYY.MM.DD) only when alerts are generated and indexed. If no alerts are produced on a given day, the daily index is not created.
Since Threat Hunting queries only alert indices, no index for today means no alerts indexed yet, so the view appears empty.
To verify that everything is working correctly, you can generate a real alert by running the following command on any agent:
ssh invaliduser@localhost
ssh invaliduser@localhost
Enter any password when prompted. This will trigger an SSH failed login alert (rule ID: 5710), create the daily alert index if it does not exist yet, and the alert should then be visible in Threat Hunting.
This behavior is described in the official documentation: https://documentation.wazuh.com/current/user-manual/wazuh-indexer/wazuh-indexer-indices.html
Best regards,
Dennis Gamboa
Dennis Gamboa
Reply all
Reply to author
Forward
0 new messages