https://community.splunk.com/t5/All-Apps-and-Add-ons/Not-getting-data-from-DELL-SonicWall-Analytics-App/m-p/221068#M73463 <P>Could you please explain in greater detail your solution? Are you talking about the setting: "Source IP to Use For Collector On A VPN Tunnel"?</P> Thu, 16 Mar 2017 17:00:57 GMT seanduchstein 2017-03-16T17:00:57Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Not-getting-data-from-DELL-SonicWall-Analytics-App/m-p/221061#M73456 <P>Dashboard not working. I believe I need to edit the sonicwall_firewalls.csv but not sure of the exact context. This is whats in there now:</P> <P>host, firewall_name<BR /> 127.0.0.1, localhost<BR /> 1.1.1.1, "Sample Host"<BR /> "localhost:2055", "IPFix Convert"</P> <P>Note: I am getting syslog data over UDP port 514 from the same device I'm trying to pull from.</P> Fri, 22 Apr 2016 21:03:13 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Not-getting-data-from-DELL-SonicWall-Analytics-App/m-p/221061#M73456 rodgerkrau 2016-04-22T21:03:13Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Not-getting-data-from-DELL-SonicWall-Analytics-App/m-p/221062#M73457 <P>It seems unlikely that would prevent the dashboard from working, but unlikely is not the same as impossible.</P> <P>You'll probably want to put, as a new line,</P> <PRE><CODE>1.2.3.4, "My firewall's name" </CODE></PRE> <P>in there, where 1.2.3.4 is its IP and the rest is a string "name" for it.</P> <P>If that works, great!</P> <P>If not, post back. It might help quite a bit if you could edit one of the dashboard panels and find the search string in it and paste that in here. That will tell us a lot about how that app expects to see its data (without making us download the app and examine it ourselves, that is). </P> <P>BTW, USUALLY these sorts of issues end up being index related. The data is going into a different index than what the dashboards expect, or the permissions are set on the role in such a way that the user logged in doesn't search the particular index needed by default or can't search it at all. Probably the second biggest reason these sorts of issues crop up is the app just fails to tag (generic word, not <EM>exactly and precisely the "tag" capability inside Splunk</EM>) your events properly (which can often be an input problem like you aren't assigning the right sourcetype on the input or something, but there are other various reasons for this sometimes too).</P> Sat, 23 Apr 2016 03:04:19 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Not-getting-data-from-DELL-SonicWall-Analytics-App/m-p/221062#M73457 Richfez 2016-04-23T03:04:19Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Not-getting-data-from-DELL-SonicWall-Analytics-App/m-p/221063#M73458 <P>stopped the splunk service. added a new line (didnt remove any lines) and started splunk service. <BR /> Now get an error: received event for unconfigured/disabled/deleted index='sonicwall' with source='source::dell_ipfix://Dell_IPFIX' host='host::localhost:2055' sourcetype='sourcetype::dell_ipfix' (1 missing total)</P> <P>xxx.xxx.xxx.xxx, "My SonicWall"<BR /> host, firewall_name<BR /> 127.0.0.1, localhost<BR /> 1.1.1.1, "Sample Host"<BR /> "localhost:2055", "IPFix Convert"</P> Tue, 29 Sep 2020 09:32:40 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Not-getting-data-from-DELL-SonicWall-Analytics-App/m-p/221063#M73458 rodgerkrau 2020-09-29T09:32:40Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Not-getting-data-from-DELL-SonicWall-Analytics-App/m-p/221064#M73459 <P>Here is one of the dashboard search strings: index=sonicwall tid=257 OR tid=357 OR tid=458 | timechart span=1h sum(init_to_resp_octets) as "outbound", sum(resp_to_init_octets) as "inbound" | addtotals</P> <P>permissions appear to be correct. I am an admin on the system</P> Tue, 29 Sep 2020 09:32:42 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Not-getting-data-from-DELL-SonicWall-Analytics-App/m-p/221064#M73459 rodgerkrau 2020-09-29T09:32:42Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Not-getting-data-from-DELL-SonicWall-Analytics-App/m-p/221065#M73460 <P>You have an index with the name "sonicwall"? Your other comment indicates you've checked that, but that error means .... oh, it probably missed an event while you had services down, that's probably all. So, try this search:</P> <PRE><CODE>index=sonicwall </CODE></PRE> <P>What's that give?</P> <P>Actually, if that returns hits do </P> <PRE><CODE>index=sonicwall | count by tid </CODE></PRE> <P>That way we can kill two birds with one stone.</P> <P>Are you on the IRC or Slack channel? These sorts of interactive back-and-forth troubleshooting is often easier in that forum (then we can come back here and provide the steps and resolution).</P> Mon, 25 Apr 2016 14:29:03 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Not-getting-data-from-DELL-SonicWall-Analytics-App/m-p/221065#M73460 Richfez 2016-04-25T14:29:03Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Not-getting-data-from-DELL-SonicWall-Analytics-App/m-p/221066#M73461 <P>ok, I noticed the index was set for "main" so I changed to sonicwall. index = sonicwall now showing data however dashboards still not populating data.. I can only post on this forum twice a day. Can we troubleshoot via email? and then post solution once resolved? </P> Tue, 26 Apr 2016 12:56:21 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Not-getting-data-from-DELL-SonicWall-Analytics-App/m-p/221066#M73461 rodgerkrau 2016-04-26T12:56:21Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Not-getting-data-from-DELL-SonicWall-Analytics-App/m-p/221067#M73462 <P>Resolution took a bit of back and forth.</P> <P>Deeper inspection of the events he had showed only lines like </P> <PRE><CODE>tid=555 total_data_count=0 total_data_size_kb=0 total_discard_count=0 </CODE></PRE> <P>In his sonicwall index. This is the same sorts of summary events I got when I tested the app (and I have NO sonicwall), so it became clear the data was NOT actually coming in.</P> <P>We double-checked the setup instructions and those did seem to have been completed properly. Rodgerkrau sniffed some traffic with Wireshark and confirmed that the data wasn't getting there.</P> <P>It turned out the router vpn from the sonicwall IP had to be reset to 0.0.0.0 and the data started flowing. </P> <P>All is better now!</P> Thu, 28 Apr 2016 11:58:35 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Not-getting-data-from-DELL-SonicWall-Analytics-App/m-p/221067#M73462 Richfez 2016-04-28T11:58:35Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Not-getting-data-from-DELL-SonicWall-Analytics-App/m-p/221068#M73463 <P>Could you please explain in greater detail your solution? Are you talking about the setting: "Source IP to Use For Collector On A VPN Tunnel"?</P> Thu, 16 Mar 2017 17:00:57 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Not-getting-data-from-DELL-SonicWall-Analytics-App/m-p/221068#M73463 seanduchstein 2017-03-16T17:00:57Z