All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk App for Unix not showing hosts from peered indexers...

samlll42
Explorer
‎07-01-2014 05:25 PM

Hi Everyone

Problem: On Splunk App for Unix (latest versions of all the components) on a search head I cannot see hosts from indexers peered to the search head. The data is there if I do a search on index=os ( I can see perf data for all the hosts: CPU, PS etc...), but in the dashboard I can only see the hosts indexed locally (local host and a forwarder). What am I doing wrong?

Example:

= splunk-search (local indexer and search-head) peered with splunk-indexer

=== splunk-forwarder X (forwarding to splunk-search)

=== splunk-forwarder Y (forwarding to splunk-search)

=splunk-indexer (local indexer)

=== splunk-forwarder A (forwarding to splunk-indexer)

=== splunk-forwarder B (forwarding to splunk-indexer)

=== splunk-forwarder C (forwarding to splunk-indexer)

If I go to Splunk App for Unix dashboard on splunk-indexer I can see hosts for:

  • splunk-indexer (local) + splunk-forwarder A, B, C (which is expected)

If I go to Splunk App for Unix dashboard on splunk-search I can only see hosts for:

  • splunk-search (local) + splunk-forwarder X,Y - NOT splunk-indexer, nor splunk-forwarder A, B and C

But when I do a search on splunk-search index=os I can see data being found for all hosts.

Do I need to setup Splunk App for Unix in a specific way to display data for remote/peered indexes?

Reply

Strunk
Explorer
‎07-17-2014 08:49 AM

See this question:

http://answers.splunk.com/answers/132477/adding-hosts-to-splunk-app-for-unix

What worked for me was following those instructions to ensure each host was added to a group, which was then added to a category. I'm guessing that because I deployed the app to the universal forwarders/deployment clients after installing the app on the deployment server/index, the categories and groups weren't populated automatically.

Reply

Strunk
Explorer
‎07-17-2014 08:35 AM

I'm having the same problem, with getting data back from universal forwarders. The data is making it to the indexer/deployment server, but it's not showing up in the dashboard.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...