Are you a member of the Splunk Community?
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- Modifying the All Indexed Data dashboard for custo...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have customized the Windows App to send perfmon and windows events to separate indices (named perfmon and winevents, respectively). As such, the "All Indexed Data" dashboard at the bottom of the Windows_App_Info ("Overview") page no longer renders the information correctly.
I dove into the XML and tried to re-arrange the search, but had little success with this. It seems to be bound to constraints I am not terribly familiar with (a bit of a novice here). For example, the search to render the "Sources" column is: | metadata type=sources (eventtype="windows_performance" OR eventtype="windows_events") (...etc...). The relevant eventtype definitions have been updated to specify the relevant custom index, and work in normal searches, though not in this particular lookup. On top of that, I can retrieve data if I specify index=*, though this is not exactly what I want. If I change the search to specify (index=winevents OR index=perfmon) in place of the eventtypes parameters, it produces 0 results.
Am I only allowed to specify one index here? Has anyone had any luck getting this to dashboard to render using custom indices?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I inadvertently figured out the answer to my original question, as well as my follow up.
I can get the search results to appear, as well as the drill-down hyperlinks to work for this dashboard if I include the custom indices as default indices under the relevant user roles.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I inadvertently figured out the answer to my original question, as well as my follow up.
I can get the search results to appear, as well as the drill-down hyperlinks to work for this dashboard if I include the custom indices as default indices under the relevant user roles.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A couple of things to check -
1. Does this user role have access to the new indices that you've setup?
2. Have you modified eventtypes.conf stanzas to include the relevant indices? For example -
[windows_performance]
search = index=perfmon (sourcetype="powershell" OR sourcetype="Perfmon:" OR sourcetype="WMI:Perfmon")
3. You can specify more than one index to target in the searches.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think I got the search term correct. There seems to be a restriction where you can't specify OR with indices? I modified the search from:
| metadata type=sources (eventtype="windows_performance" OR eventtype="windows_events")
to:
| metadata type=sources (index=perfmon OR index=winevents)
...which returned nothing. After your post, I tried this instead:
| metadata type=sources index=perfmon index=winevents
...which does work; now I'm getting results. However drilling into the content omits any references to the index, so there must be something else I need to customize to include this.
Building Reliable Asset and Identity Frameworks in Splunk ES
Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting
Automatic Discovery Part 3: Practical Use Cases
