All Apps and Add-ons

Search Activity App: Backfill with "no ldap" option selected does not seem to take place

kqc767
Path Finder

This looks like a very cool app, but I can't get past the "setup" page...nothing populates.

Any ideas?

1 Solution

David
Splunk Employee
Splunk Employee

I found a bug which may be the root cause for this issue -- that will be fixed an available in the next release, coming out next week.

In the interim, you can manually re-kick the process by running the following search:

`FillSearchHistory_Search` `FillSearchHistory_TSCollect`

You can choose to run it over a short period of time or a long period. Depending on the number of searches in your environment, you may want to chunk it up to achieve a longer backfill. If you do have tens of thousands of searches per day and want to backfill over more than a few weeks, let me know and I can provide you an easy way to facilitate that.

View solution in original post

David
Splunk Employee
Splunk Employee

I found a bug which may be the root cause for this issue -- that will be fixed an available in the next release, coming out next week.

In the interim, you can manually re-kick the process by running the following search:

`FillSearchHistory_Search` `FillSearchHistory_TSCollect`

You can choose to run it over a short period of time or a long period. Depending on the number of searches in your environment, you may want to chunk it up to achieve a longer backfill. If you do have tens of thousands of searches per day and want to backfill over more than a few weeks, let me know and I can provide you an easy way to facilitate that.

kqc767
Path Finder

Hi, David...that did the trick!

I made the mistake of running each of the above macros as a separate search, but when used exactly as specified, the backfill ran immediately and successfully.

I'm still getting the orange "caution" icon in the setup screen, but otherwise, everything seems to be working well.

JP

David
Splunk Employee
Splunk Employee

I'm happy to hear that's working! If you do find value (or don't find any value!), shoot me an email -- dveuve, splunk.com. I'm happy to get feedback, recommendations, new use cases, new requirements, etc., etc.

kqc767
Path Finder

Error messages from second pane of "Troubleshooting TSIDX Population" dashboard:

3/12/15
12:27:17.606 PM

03-12-2015 12:27:17.606 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/search_activity/bin/CheckDataStats-events.py" splunklib.binding.HTTPError: HTTP 400 Bad Request -- Invalid latest_time: latest_time must be after earliest_time.
3/12/15
12:27:17.606 PM

03-12-2015 12:27:17.606 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/search_activity/bin/CheckDataStats-events.py" raise HTTPError(response)
3/12/15
12:27:17.605 PM

03-12-2015 12:27:17.605 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/search_activity/bin/CheckDataStats-events.py" File "/opt/splunk/etc/apps/search_activity/bin/splunklib/binding.py", line 1110, in request
3/12/15
12:27:17.605 PM

03-12-2015 12:27:17.605 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/search_activity/bin/CheckDataStats-events.py" return self.request(url, message)
3/12/15
12:27:17.605 PM

03-12-2015 12:27:17.605 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/search_activity/bin/CheckDataStats-events.py" File "/opt/splunk/etc/apps/search_activity/bin/splunklib/binding.py", line 1090, in post
3/12/15
12:27:17.605 PM

03-12-2015 12:27:17.605 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/search_activity/bin/CheckDataStats-events.py" response = self.http.post(path, all_headers, **query)
3/12/15
12:27:17.605 PM

03-12-2015 12:27:17.605 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/search_activity/bin/CheckDataStats-events.py" File "/opt/splunk/etc/apps/search_activity/bin/splunklib/binding.py", line 658, in post
3/12/15
12:27:17.605 PM

03-12-2015 12:27:17.605 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/search_activity/bin/CheckDataStats-events.py" val = f(*args, **kwargs)
3/12/15
12:27:17.605 PM

03-12-2015 12:27:17.605 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/search_activity/bin/CheckDataStats-events.py" File "/opt/splunk/etc/apps/search_activity/bin/splunklib/binding.py", line 62, in new_f
3/12/15
12:27:17.605 PM

03-12-2015 12:27:17.605 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/search_activity/bin/CheckDataStats-events.py" return request_fun(self, *args, **kwargs)
3/12/15
12:27:17.605 PM

03-12-2015 12:27:17.605 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/search_activity/bin/CheckDataStats-events.py" File "/opt/splunk/etc/apps/search_activity/bin/splunklib/binding.py", line 240, in wrapper
3/12/15
12:27:17.605 PM

03-12-2015 12:27:17.605 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/search_activity/bin/CheckDataStats-events.py" return self.service.post(path, owner=owner, app=app, sharing=sharing, **query)
3/12/15
12:27:17.605 PM

03-12-2015 12:27:17.605 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/search_activity/bin/CheckDataStats-events.py" File "/opt/splunk/etc/apps/search_activity/bin/splunklib/client.py", line 764, in post
3/12/15
12:27:17.605 PM

03-12-2015 12:27:17.605 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/search_activity/bin/CheckDataStats-events.py" response = self.post(search=query, **kwargs)
3/12/15
12:27:17.604 PM

03-12-2015 12:27:17.604 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/search_activity/bin/CheckDataStats-events.py" File "/opt/splunk/etc/apps/search_activity/bin/splunklib/client.py", line 2881, in create
3/12/15
12:27:17.604 PM

03-12-2015 12:27:17.604 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/search_activity/bin/CheckDataStats-events.py" job = service.jobs.create(searchquery_normal, **kwargs_normalsearch)
3/12/15
12:27:17.604 PM

03-12-2015 12:27:17.604 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/search_activity/bin/CheckDataStats-events.py" File "/opt/splunk/etc/apps/search_activity/bin/CheckDataStats-events.py", line 232, in
3/12/15
12:27:17.604 PM

03-12-2015 12:27:17.604 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/search_activity/bin/CheckDataStats-events.py" Traceback (most recent call last):

0 Karma

ppablo
Retired

Hi @kqc767

Glad you found a workaround through @David 🙂

Sidenote: Please be sure that when responding to someone's answer, click on "Add comment" directly below their answer or, if responding to someone's comment, type in the "Add your comment..." box directly below their comment. You typed your responses in the "Enter your answer here..." box at the very bottom of the page which, instead, posts a brand new answer when it was really meant as a comment. This will help with a clean continuous flow of the conversation.

I've converted your other "answers" appropriately, but this one I'm commenting on can no longer be converted to a comment since it is beyond the character limit. If you have a long response and are hitting a character limit when leaving a comment, just break it up into multiple comments. Just something to keep in mind from here on out. Thanks!

0 Karma

David
Splunk Employee
Splunk Employee

I'm sorry to hear that it's not working! It should automatically kick off the backfill once you have specified the backfill window under the Data Store section of setup. Can you let me know what the values are for the macros: backfill_events_internal, backfill_events_window, backfill_search_internal, and backfill_search_window are? If you go to the Troubleshooting TSIDX Backfill dashboard under the setup menu, do you see any error messages in the second panel?

In the next version, I'm working on a proper support system that will let you submit the app-equivalent of a diag -- I can also give you a preview release (full release should be next week or so), so you can get me all the details to troubleshoot it.

0 Karma

kqc767
Path Finder

Thanks for your help--here are the macro values that I have:

backfill_events_internal = -1
backfill_events_window = 0
backfill_search_internal = 1
backfill_search_window = 0

0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...