All Apps and Add-ons

TrackMe App only show data host from a certain time

Na_Kang_Lim
Path Finder

I am monitoring some of the information from the TrackMe App, and I noticed that for the trackme_host_monitoring lookup AKA the data host monitoring utils of the app, all the hosts I can see had the data_last_time_seen value greater than 04/03. Today is 05/12.

If I use metadata command, I can see the hosts that has not sent log from earlier than 04/03. Like 03/31.

So what config/macro of the app is probably the cause?

Labels (2)
0 Karma

livehybrid
SplunkTrust
SplunkTrust

Hi @Na_Kang_Lim 

Based on the lookup name, It sounds like you are on TrackMe V1, have you considered upgrading to V2.x? There are a bunch of bug fixes which could be impacting your issue here, and new features you can use in the later versions.

@asimit Im intrigued by the "trackme_max_data_tracker_history" macro - where can I find this? I cant see it in my installation of TrackMe (V1 or V2)! Also the REST endpoint you doesnt seem to exist. 

guilmxm
Influencer

Hi @Na_Kang_Lim 

@livehybrid  is 100% right, TrackMe V1 is out of date and unsupported since more than 2 years now, therefore I wouldn't respond on this.
Please consider upgraded to TrackMe V2: https://docs.trackme-solutions.com
there are options to migrate from V1 to V2 (https://docs.trackme-solutions.com/latest/migration_trackmev1.html) but I would suggest to consider a fresh configuration instead rather than migrating stuffs.

0 Karma

asimit
Path Finder

Hi @Na_Kang_Lim,

The TrackMe App has a default data retention/tracking period setting that's likely causing you to only see hosts with data_last_time_seen values after 04/03.

This is controlled by the "trackme_max_data_tracker_history" macro which defaults to 30 days of history retention. You can modify this setting to include older hosts:

a. Navigate to Settings > Advanced Search > Search macros
b. Find the macro "trackme_max_data_tracker_history"
c. By default, it's set to "-30d" which means it only tracks 30 days of history
d. Modify this value to extend the period (e.g., "-60d" or "-90d")
e. Save your changes and wait for the next scheduled collection to run

Additionally, check these potential causes:

a. The TrackMe collection might have been reset or reinstalled around 04/03
b. There might be a tracker purge operation scheduled that removes older entries
c. The "Data Sampling" feature might be enabled with a custom time range

You can verify current settings with:

```
| rest /servicesNS/-/trackme/configs/conf-trackme/trackme_gen_settings
| table title value
```

If you need to force TrackMe to rebuild its tracking data:

```
| outputlookup trackme_host_monitoring
```

Please give 👍 for support 😁 happly splunking .... 😎

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...