Dear Team,
I have cloudflare app setup and index has data. However, when i open the app from the menu, it show zero result. This is the search of one query:
| tstats count from datamodel=cloudflare.cloudflare where Cloudflare.ClientCountry="*" Cloudflare.ClientDeviceType="*" Cloudflare.dest_ip="*" Cloudflare.dest_host="*" Cloudflare.uri_path="*" Cloudflare.http_user_agent="*" Cloudflare.status="*" Cloudflare.src_ip="" Cloudflare.OriginResponseStatus="200" Cloudflare.RayID="*" Cloudflare.WorkerSubrequest="*" Cloudflare.http_method="*"
--> the result is 0.
However, when i omit the rest and leave ony clientcountry field. I have data. I have my data model created and finished acceleration.
What is the cause of that?
We ran into this as well. As long you you verified the data path is open and you are getting data then take a look at this link
https://developers.cloudflare.com/fundamentals/data-products/analytics-integrations/splunk
Go to the bottom under troubleshooting. You have to enable the right data in the Cloudflare console for the dashboards to populate. Just turning on the log feed is not enough. Good luck!
you mean search for index=cloudflare _raw?
If you go to the Search page within the Cloudflare application and perform a search against the raw cloudflare data that has been indexed, do you see all of the expected fields from the query you shared visible? I'm expecting one, or more, of them is missing which is causing this query to fail. That or there are simply no events with OriginResponseStatus="200" in them.
ClientCountry
ClientDeviceType
dest_ip
dest_host
uri_parth
http_user_agent
http_method
status
src_ip
uri_path
OriginResponseStatus
RayID
WorkerSubrequest