All Apps and Add-ons

The Splunk For Bluecoat view "bcoat_overview" does not display results for my data contained in a custom index even though I modified the macro

sdwilkerson
Contributor

I deployed the Splunk for Bluecoat app, modified the macro.conf to point to my custom index (per the instructions) and all of the dashboards populate except the splash page which is "bcoat_overview."

How do I get data to show up here?

1 Solution

sdwilkerson
Contributor

Although the documentation located here http://apps.splunk.com/app/245 for the Splunk for Bluecoat app mentions you need only to modify the macro to point to where your Bluecoat data is (e.g. what index you have it in) there is another step you need to do that isn't documented.

Unfortunately, the app does not use its own macros for the splash page, which is bcoat_overview and instead uses bare searches directly to a static location (index=bcoat_proxy).

Until this app is updated to properly use the macro, you need to edit this dashboard's XML to fix the problem.

To do this:

  • From the Splunk for Bluecoat app, click on Manager on the top right portion of the screen
  • Click User Interface
  • Click Views
  • Click bcoat_overview
  • In the text-editor, search for index=bcoat_index and replace it with something like: `bcoat_request` (enclosed in back-ticks to signify a macro).
  • Click Save
  • Navigate back to the app, and the splash page should now work.

View solution in original post

sdwilkerson
Contributor

Although the documentation located here http://apps.splunk.com/app/245 for the Splunk for Bluecoat app mentions you need only to modify the macro to point to where your Bluecoat data is (e.g. what index you have it in) there is another step you need to do that isn't documented.

Unfortunately, the app does not use its own macros for the splash page, which is bcoat_overview and instead uses bare searches directly to a static location (index=bcoat_proxy).

Until this app is updated to properly use the macro, you need to edit this dashboard's XML to fix the problem.

To do this:

  • From the Splunk for Bluecoat app, click on Manager on the top right portion of the screen
  • Click User Interface
  • Click Views
  • Click bcoat_overview
  • In the text-editor, search for index=bcoat_index and replace it with something like: `bcoat_request` (enclosed in back-ticks to signify a macro).
  • Click Save
  • Navigate back to the app, and the splash page should now work.

View solution in original post

Unhacker
Explorer

Btw this was exactly the fix I needed, in my case. Not sure if anyone else has mentioned this, but I found that with it configured as shipped, I not only "saw no results" in the app but futhermore it would peg the frak out of my server while it searched (in vain). Simply loading the BC App has pummel the thing to a 60 load average (yes - SIXTY). Good thing I wasnt running it on Windows or it would've burst into flames.

But not that it works you've made me a Supa Stah (thanks!!) 😛

sdwilkerson
Contributor

Great, thanks! So, why not just use the same macros in the "splash page" that has the issue? If you do that, no need to update the docs or have users "modify" (i.e. immortalize in local) that splash View?

ddorsey_splunk
Splunk Employee
Splunk Employee

Thanks. I've updated the instructions for the app to include this information.

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.