All Apps and Add-ons

Technology Inventory Add-on for Splunk: Why aren't events searchable and pre-built panels are coming up empty?

Engager

We would like to use the Technology Inventory Add-on for Splunk, but we can't seem to get the prebuilt panels to populate. We see events in Splunk from Splunk's Linux add-on for the 5 scripts mentioned in Technology Inventory Add-on for Splunk's Complete List documentation, but searching for "techinventory_indexes tag=inventory" returns no results and the pre-built panels are empty.

I didn't think I missed any configuration steps, but perhaps I did?

0 Karma
1 Solution

Ultra Champion

Hi! Thanks for providing the feedback! I see the documentation doesn't elaborate on indexes as much as I would have liked, so let's see if we can sort this out and then I'll make an update accordingly.

macro techinventory_indexes is defined as other macros which ultimately bring us to index=os and index=windows. It's possible the data you are collecting is merely in other indexes. Is this as simple as adding your index to the respective macros?

Specifically, find what indexes your inputs are sending the data to, then add those indexes to either windows_indexes OR unix_indexes macros.

If that isn't the problem then this could be an issue with the sourcetypes having been updated in recent updates to the dependent TAs. But let's start with the former first.

View solution in original post

Ultra Champion

Hi! Thanks for providing the feedback! I see the documentation doesn't elaborate on indexes as much as I would have liked, so let's see if we can sort this out and then I'll make an update accordingly.

macro techinventory_indexes is defined as other macros which ultimately bring us to index=os and index=windows. It's possible the data you are collecting is merely in other indexes. Is this as simple as adding your index to the respective macros?

Specifically, find what indexes your inputs are sending the data to, then add those indexes to either windows_indexes OR unix_indexes macros.

If that isn't the problem then this could be an issue with the sourcetypes having been updated in recent updates to the dependent TAs. But let's start with the former first.

View solution in original post

Engager

Thank you, that seems to have resolved it. Changed it to "( index=os OR index=main )" and data started showing up in the dashboard panels.

0 Karma

Ultra Champion

Huzzah! I've created a bug item to keep track of the gap in documentation as well. Thanks for asking and bringing this gap to my attention!

0 Karma

Ultra Champion

FYI: The Details have been edited in hopes to clarify this. Thank you for your patience!