All Apps and Add-ons

Tenant / index on Overview page tanking searches

jamesjarrett
Path Finder

I am not sure why but on the main page, none of the searches return results - unless i remove references to the indexes on the tstats search. I assume this is related to the multi tenancy support that is breaking it.

For example:

| tstats values(nodename) AS nodename count FROM datamodel=Cisco_IOS_Event WHERE Cisco_IOS_Event.product="IOS" index=* BY host index | search nodename=Cisco_IOS_Event | stats sum(count)

returns nothing, but:

| tstats values(nodename) AS nodename count FROM datamodel=Cisco_IOS_Event WHERE Cisco_IOS_Event.product="IOS"  BY host | search nodename=Cisco_IOS_Event | stats sum(count)

Works right.

The Tenant search properly hides as the macro probably comes back with nothing; i have assigned the tenant_index token with a value of "" to partially fix this issue..

Is this a known problem? or, is it something I have not set up correctly?

0 Karma

mikaelbje
Motivator

Should be fixed in the latest 2.5.6 version of the app. Tested against recent Splunk versions.

0 Karma

michaeljlancast
Explorer

I'm getting this error running on 6.6.7.

Error in 'PivotProcessor': Error in 'PivotUtil': The dataset 'Interface' has no field 'index'.

0 Karma

michaeljlancast
Explorer

I'm not sure what happened, but the data models/pivots seemed to start working after a few days. Maybe another restart was required??

0 Karma

russellliss
Path Finder

I am getting the same error on 7.1.2

0 Karma

xpac
SplunkTrust
SplunkTrust

I'm not sure if I remember correctly, but did you try putting an AND between Cisco_IOS_Event.product="IOS" and index=*?

0 Karma

jamesjarrett
Path Finder

that's a possibility, but the thing is this is how the dashboard came packaged; i I guess i should have said something more along the lines of 'it was broken out of the box and removing index references fixed it'

0 Karma

jamesjarrett
Path Finder

i just want to know if there is something i missed in configuring.. or that i configured wrong which is completely a possibility

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...