All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

The Splunk For Bluecoat view "bcoat_overview" does not display results for my data contained in a custom index even though I modified the macro

sdwilkerson
Contributor
‎09-05-2013 08:37 AM

I deployed the Splunk for Bluecoat app, modified the macro.conf to point to my custom index (per the instructions) and all of the dashboards populate except the splash page which is "bcoat_overview."

How do I get data to show up here?

Reply
1 Solution
Solved! Jump to solution
Solution

sdwilkerson
Contributor
‎09-05-2013 08:46 AM

Although the documentation located here http://apps.splunk.com/app/245 for the Splunk for Bluecoat app mentions you need only to modify the macro to point to where your Bluecoat data is (e.g. what index you have it in) there is another step you need to do that isn't documented.

Unfortunately, the app does not use its own macros for the splash page, which is bcoat_overview and instead uses bare searches directly to a static location (index=bcoat_proxy).

Until this app is updated to properly use the macro, you need to edit this dashboard's XML to fix the problem.

To do this:

  • From the Splunk for Bluecoat app, click on Manager on the top right portion of the screen
  • Click User Interface
  • Click Views
  • Click bcoat_overview
  • In the text-editor, search for index=bcoat_index and replace it with something like: `bcoat_request` (enclosed in back-ticks to signify a macro).
  • Click Save
  • Navigate back to the app, and the splash page should now work.

View solution in original post

Reply
Solved! Jump to solution
Solution

sdwilkerson
Contributor
‎09-05-2013 08:46 AM

Although the documentation located here http://apps.splunk.com/app/245 for the Splunk for Bluecoat app mentions you need only to modify the macro to point to where your Bluecoat data is (e.g. what index you have it in) there is another step you need to do that isn't documented.

Unfortunately, the app does not use its own macros for the splash page, which is bcoat_overview and instead uses bare searches directly to a static location (index=bcoat_proxy).

Until this app is updated to properly use the macro, you need to edit this dashboard's XML to fix the problem.

To do this:

  • From the Splunk for Bluecoat app, click on Manager on the top right portion of the screen
  • Click User Interface
  • Click Views
  • Click bcoat_overview
  • In the text-editor, search for index=bcoat_index and replace it with something like: `bcoat_request` (enclosed in back-ticks to signify a macro).
  • Click Save
  • Navigate back to the app, and the splash page should now work.
Reply
Solved! Jump to solution

Unhacker
Explorer
‎11-11-2013 12:48 PM

Btw this was exactly the fix I needed, in my case. Not sure if anyone else has mentioned this, but I found that with it configured as shipped, I not only "saw no results" in the app but futhermore it would peg the frak out of my server while it searched (in vain). Simply loading the BC App has pummel the thing to a 60 load average (yes - SIXTY). Good thing I wasnt running it on Windows or it would've burst into flames.

But not that it works you've made me a Supa Stah (thanks!!) 😛

Reply
Solved! Jump to solution

sdwilkerson
Contributor
‎09-16-2013 06:58 AM

Great, thanks! So, why not just use the same macros in the "splash page" that has the issue? If you do that, no need to update the docs or have users "modify" (i.e. immortalize in local) that splash View?

Reply
Solved! Jump to solution

ddorsey_splunk
Splunk Employee
Splunk Employee
‎09-15-2013 01:23 PM

Thanks. I've updated the instructions for the app to include this information.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...