All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Indexes are being populated with data, but why is the Splunk App for Cisco UCS not displaying data?

ebailey
Communicator
‎02-09-2015 08:10 AM

I have installed the Splunk App for UCS and I can see data being collecting by the HF and the indexes are being populated with data from the scripted input and syslog from the UCS instance. My issue is that the app is not displaying any data. Do I need to wait for data to be ready for display? Any troubleshooting tips?

Thanks!

0 Karma
Reply

halr9000
Motivator
‎02-09-2015 09:30 AM

No, it should not take long for data to show up. Have a look at the below, and if you've got some helpful error messages, let us know.

This is all from the README in the main app root folder:

TEST YOUR INSTALL

The main app dashboard can take some time before the data is returned which will populate some of the panels. A good test to see that you are receiving all of the data we expect is to run this search after several minutes:

index="cisco_ucs*" | stats count by sourcetype

In particular, you should see these sourcetypes:
* ciscoucs:ucsm:fault
* ciscoucs:ucsm:inventory
* ciscoucs:ucsm:perf

If you have configured UCS to send syslog events into Splunk, you may also see:
* ciscoucs:syslog
* syslog

If you don't see these sourcetypes, have a look at the messages output by the scripted input: Collect.py. Here is a sample search that will show them:

index=_internal component="ExecProcessor" Collect.py | table _time host log_level message

(INFO log_level is good, WARN or ERROR are bad.)

0 Karma
Reply

ebailey
Communicator
‎02-09-2015 10:27 AM

I ran the tests you put in the readme and everything came back with data. The problem is that the UI is not presenting the data. I am going to break down the searches and maybe this is a path issue or something.

0 Karma
Reply

ebailey
Communicator
‎02-09-2015 10:54 AM

I am wondering if something is wrong with the data.

The query for inventory summary is

eventtype=ucs-inv | eval fqdn=ucs+":"+dn | dedup fqdn sortby +_Time | append [search eventtype=ucs-perf class=topSystem | dedup name] | lookup classDescription class OUTPUT description as classDescr | fields *

The search returns no data but if I remove everything back to the eventtype - I get the following

ys/switch-B/slot-3|Cisco Systems, Inc.|16|operable|N/A|0|unknown|FOC17413PKQ|unknown|equipped|2015-02-09T11:46:31.664|UCS-FI-E16UP|operable|unknown|3|online|0|O2 16 port flexible GEM|online

It looks like the eval is breaking down. Is this the right data for eventtype ucs-inv?

0 Karma
Reply

halr9000
Motivator
‎02-09-2015 11:46 AM

Try a search for "eventtype=ucs-inv BD_SPLUNK". We want that to return zero results. Also, inspecting the above, it looks like there is some truncation. Was that a paste error, or is that how it looks?

You are seeing one of two problems which I am aware some are seeing. Hopefully we can figure out which one.

What Splunk version? UCS Manager version?

0 Karma
Reply

ebailey
Communicator
‎02-09-2015 01:29 PM

The search returned 111 results over 60 minutes.

That is how the data looks in Splunk. Splunk 6.1.2 I am getting the version of the UCSM.

0 Karma
Reply

ebailey
Communicator
‎02-09-2015 02:03 PM

ucsm version 2.2.3b

0 Karma
Reply
Get Updates on the Splunk Community!

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...

Adoption of Infrastructure Monitoring at Splunk

  Splunk's Growth Engineering team showcases one of their first Splunk product adoption-Splunk Infrastructure ...

Modern way of developing distributed application using OTel

Recently, I had the opportunity to work on a complex microservice using Spring boot and Quarkus to develop a ...