All Apps and Add-ons

Sys-Health-Check Dashboard not populating

richardphung
Communicator

Looks like Network Overview, NetworkHealth + drilldowns, Link States, and Network Search are all populating correctly.

The Dashboard Panels under Sys-Health-Check are blank, with No Results.
External Table (TCAM) Counters, etc.

These are driven by the search (or similar):

index=extnet | rex "SysName:\s+(?<sysName>.*)\s+SysLocation" | rex "System\sMAC:\s+(?<sysMAC>\w{2}:\w{2}:\w{2}:\w{2}:\w{2}:\w{2})" | rex max_match=0 "(?<timeStamp>\d+/\d+/\d+\s+\d+:\d+:\d+\.\d+)\s+\<Warn:HAL\.Sys\.HCExtTbl\>\s+Slot-(?<slotNum>\w):\s+Sys-Health-Check:\sExternal\sTable" | fillnull value="Not Available" sysName | fillnull value="Not Available" sysMAC  | search slotNum=* | eval combiField=mvzip(timeStamp,slotNum) | mvexpand combiField | rex field=combiField "(?<time>.*),(?<slot>.*)" | convert mktime(time) AS time | where time>relative_time(now(),"-25y") |  dedup sysName,slot,time | stats count by sysName,sysMAC,slot | rename sysName AS "SysName" sysMAC AS "MAC Address" slot AS "Slot" count AS "Count"

Is there anything I need to do on the Collector config to get these events?

e.g. configure tech-support add collector [hostname | ip_address] tcp-port <port#> {ssl [on | off]}

Or has the syntax changed?
I noticed that:

\s+Slot-(?<slotNum>\w):\s+Sys-Health-Check:\sExternal\sTable

Doesn't return anything.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...