All Apps and Add-ons

SolarWinds Add-on for Splunk: No results when searching the output

Path Finder

Hi, I had a problem with setting Solarwinds add--on. I had follow the guide line for installation and add the input data but when searching the output it doesn't show any result.
I had confused to setting the account on configuration. Could you tell the credential to setup is Solarwinds Server itself (I used Windows Server 2012) or the credential to open Solarwinds web console or other else?

0 Karma

SplunkTrust
SplunkTrust

The SolarWinds Add-on for Splunk says

Enter the Credentials under the “Account” tab. These are the credentials needed to authenticate to the SolarWinds API. The username/password used should have the minimum permission needed to run the SolarWinds query via REST API

You need to use an account that can log into the solarwinds web console, AND one that has at least the permission to query vai the REST API. Any SW admin can do this. I think it is a permission given to regular users too but I'm not positive about that. Easy enough for you to check inside the User section of SW.

Happy Splunking,
Rich

0 Karma

Path Finder

hi rich, I already apply the setting by use admin account that can log solarwinds console but the data still not appear

0 Karma

SplunkTrust
SplunkTrust

OK, so let's review. Can you try creating a new input step by step as I outline below? We'll try to keep as few places for this to go wrong so we can isolate what's really happening. Hence, this is a TEST input that you'll want to fix (one step at a time) after we hopefully get it going.

First, from your desktop: log into SolarWinds. Confirm you - your regular account - can log in ok.

Now let's test the SWIS (I think "Solar Winds Information Services") port is OK. Substituting in the IP of your own SW server in place of the "1.1.1.1" in the below, paste this into your browser URL and press enter. It should all be on one line.

https://1.1.1.1:17778/SolarWinds/InformationService/v3/Json/Query?query=SELECT+Uri+FROM+Orion.Poller...

It will make you log in, use the same username and password you tested just a bit ago. In typical SW fashion, it is not known if you need to use domain\username or just username at this time, so if one doesn't work, try the other way.

If successful, you should get a bit of JSON back that tells you about your pollers. If not successful, you'll ... I don't know, get back and error or something? It should be obvious if it's not working. 🙂 Anyway, if it's not successful that's a SW problem or a firewall issue. I don't know quite enough to walk you through fixing the SWIS port, but Google and/or SW support folks can help you with this. Get this working. Nothing beyond here will work until that works.

NOTE that the SWIS port actually needs to be accessible BY YOUR SPLUNK SERVER, right? You just tested from your desktop, and I'm hoping that if there's a firewall in the way between you and your SW server that it's configured to allow the same traffic from your Splunk server to it. We'll just hope right now this is OK, but if we have a specific sort of trouble which I won't go into now we can dig deeper into this situation.

Now - once you've confirmed the above works, then on wherever you have your SW Add-on for Splunk installed:

Click configuration. Make sure you are in the "Account" tab and then "Add" a new account, give it a new unique name (SW_Test?), carefully enter your OWN username and password. Again, we're cutting out places this could be goofed up, so let's just use the ones you are good at typing. 🙂

Change to the "Logging" tab and change it to "DEBUG" and Save.

Change to the "Add-on Settings" tab and enter/confirm those settings, using the right port (defaults to 17778) and IP address as above. No need for http/https in front of the IP, just "1.1.1.1" with a port "17778" or whatever. Save that.

Now, back to "Inputs" page. "Create New Input" of SolarWinds Alerts. Give it a unique name (SWTestalerts), interval of, oh, say 5 minutes (300), change your index to wherever you wan to put the results - hopefully use a test/temp index for testing, or AT LEAST make sure it's otherwise empty so you can delete it later after testing and before you start doing this "for real". In any case, pick your SW account (the new one you just made, SW_Test. Put in an initial start time of something recent, like 2018-01-10 01:01:01.001, Then click save.

Then ... wait for an alert?

You should be able to see the alert with a search like...

index=<myindex_from_the_configuration>

Frankly, that should work fine enough for testing.

Let us know if this gets alerts to show up or not! Please, take careful notes of each step as you do them and the results. The notes will be what we'll have to use to continue debugging if it's not working, so include the details of each step - what you put in each field (except passwords), or take screenshots of each screen).

Happy Splunking!
-Rich

0 Karma

Path Finder

wow amazing... it really working... the thing that i miss is only the port. after allow it the input make it to read from SWIS port... thanks

0 Karma