All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Search Activity application Overall Metrics and Search acitvity dashboard not completely working

gjanders
SplunkTrust
SplunkTrust
‎09-27-2015 07:01 PM

I have the Search Activity application installed in Splunk 6.2.5 https://splunkbase.splunk.com/app/2632/
I initially had it on a search head cluster which after some period of testing did appear to be working, but it is not a recommended setup.

I have since moved it to the license master/deployment and deployer server which has no applications installed.

After a full 12 months of backfill, the search activity dashboard shows "Search produced no results" under the search head criteria. I had the same issue when running it on other search heads.

The "Top Apps and Views" appears to work just fine, and the overall metrics appear to show 0 results.

The troubleshooting TSIDX population shows all data is up to date and I have approx 10 months of data within the index and I cannot see any errors. Search history is marked as "Backfill Complete" and Events is makred as "0" seconds remaining.
The only item I notice is a lot of 404 errors on the URL /servicesNS/admin/search_activity/properties/macros/backfill_search_window/definition?count=0 by the splunk-system-user.

Is there something I have done wrong here?

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply

David
Splunk Employee
Splunk Employee
‎09-27-2015 07:25 PM

Hi!

The 404 errors are likely a red herring -- the command to update the macro will try a few different permissions models, to account for some quirks around how the REST API functions.

I'll follow up with you via your support ticket -- let's schedule a webex to troubleshoot what's going on.

Thanks,
David

Reply

gjanders
SplunkTrust
SplunkTrust
‎10-16-2015 12:32 AM

David, I have been unable to get in contact with you since the email in September.

If there is anyone else who has an idea of how I can troubleshoot this further please let me know.

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply

gjanders
SplunkTrust
SplunkTrust
‎09-27-2015 07:09 PM

Search activity application version 2.2.3

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply
Get Updates on the Splunk Community!

OpenTelemetry for Legacy Apps? Yes, You Can!

This article is a follow-up to my previous article posted on the OpenTelemetry Blog, "Your Critical Legacy App ...

UCC Framework: Discover Developer Toolkit for Building Technology Add-ons

The Next-Gen Toolkit for Splunk Technology Add-on Development The Universal Configuration Console (UCC) ...

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...