All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Cacti Mirage Add-On for Splunk: Why are no hosts being reported?

Esky73
Builder
‎03-20-2017 05:37 PM

Hi i have installed the Cacti Mirage Add-On for Splunk on my lab instance which is Search Head and indexer in one.
Cacti is installed in /var/www/html/cacti-1.0.1/
I have installed the Universal Forwarder on cacti and am seeing data for the following sourcetypes coming in to my index called cacti:

cacti:mirage
cacti:system
cacti:lookup:mirage

However some of the reports are missing data - i think because my lookup table is not being populated.

Looking at the search for Cacti Polling & Lookups Status the search is driven by:

eventtype=cacti:mirage | timechart span=5m count by host

In the eventtypes.conf i have:

[cacti:mirage]
search = `cacti_index` sourcetype=cacti:mirage

and if i run

`cacti_index` sourcetype=cacti:mirage

then that works fine but then if i run:

eventtype=cacti:mirage

i see no results

Any idea why?

Thanks.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mattymo
Splunk Employee
Splunk Employee
‎03-20-2017 08:57 PM

Hey Eksy73!

Sorry for the inconvenience! I believe the issue is the use of the macro in the eventtype, which broke somewhere along the upgrade path since we released the app in 6.3

I will make sure to update the app on Splunkbase, in the meantime, try updating the eventtype to :

[splunker@n00bserver local]$ cat eventtypes.conf 
[cacti:mirage]
search = index=cacti sourcetype=cacti:mirage

[cacti:lookup:mirage]
search = index=cacti sourcetype=cacti:lookup:mirage
[splunker@n00bserver local]$

The macro was only thrown in to let users set their own index, but at this point we will just take it out and ensure the users either use index=cacti or configure the eventtype accordingly.

Let me know if that solves it for you

Thanks!

Matt

- MattyMo

View solution in original post

Reply
Solved! Jump to solution
Solution

mattymo
Splunk Employee
Splunk Employee
‎03-20-2017 08:57 PM

Hey Eksy73!

Sorry for the inconvenience! I believe the issue is the use of the macro in the eventtype, which broke somewhere along the upgrade path since we released the app in 6.3

I will make sure to update the app on Splunkbase, in the meantime, try updating the eventtype to :

[splunker@n00bserver local]$ cat eventtypes.conf 
[cacti:mirage]
search = index=cacti sourcetype=cacti:mirage

[cacti:lookup:mirage]
search = index=cacti sourcetype=cacti:lookup:mirage
[splunker@n00bserver local]$

The macro was only thrown in to let users set their own index, but at this point we will just take it out and ensure the users either use index=cacti or configure the eventtype accordingly.

Let me know if that solves it for you

Thanks!

Matt

- MattyMo
Reply
Solved! Jump to solution

Esky73
Builder
‎03-20-2017 09:37 PM

Hi,

Using 6.5.2

Thanks for that - there were a few other broken searches - but you got me on the right track and all's looking good. Thanks a lot.

0 Karma
Reply
Solved! Jump to solution

mattymo
Splunk Employee
Splunk Employee
‎03-23-2017 09:19 AM

looking to load up an update soon!

- MattyMo
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Platform | Upgrading your Splunk Deployment to Python 3.9

Splunk initially announced the removal of Python 2 during the release of Splunk Enterprise 8.0.0, aiming to ...

From Product Design to User Insights: Boosting App Developer Identity on Splunkbase

co-authored by Yiyun Zhu & Dan Hosaka Engaging with the Community at .conf24 At .conf24, we revitalized the ...

Detect and Resolve Issues in a Kubernetes Environment

We’ve gone through common problems one can encounter in a Kubernetes environment, their impacts, and the ...