All Apps and Add-ons

Splunk App for AWS: Why are ELBs not appearing in the Traffic Analysis Dashboard?

Contributor

Seem to have an issue with the ELB - Traffic Analysis Dashboard on the Splunk App for AWS - only two ELBs show up when the search runs .

  1. I have verified that all the logs are being indexed into Splunk
  2. The two that appear in the dashboard seem to have the field "elb" in the events
  3. The remaining ELB's do not have this field and don't appear in the dashboard although the sourcetype=aws:elb:accesslogs is correct and the data is indexing .

Any ideas what the issue might be ? Any ideas why the elb field is missing for the other inputs ? All of them ( 12 in total ) are configured the same way .
alt text

0 Karma
1 Solution

Contributor

Found the solution - had to "manually" extract the fields - for some reason the Regex within props.conf did not work 😞

View solution in original post

0 Karma

New Member

Are you using splunkcloud?
Regards,
Arsenio

0 Karma

Contributor

Arsenio ,

I am using Splunk Enterprise . Turns out the Filed Extracts were not correctly extracting the field "elb" ( amongst others )

Rewriting the regex in props.conf fixed this issue

0 Karma

Contributor

Found the solution - had to "manually" extract the fields - for some reason the Regex within props.conf did not work 😞

View solution in original post

0 Karma