I am troubleshooting why "User login activity" of Nextcloud App is showing no results and by analyzing the results the dashboard query is:
sourcetype=TERM(nextcloud-log) app=admin_audit action="Login successful" user="*" userAgent!=curl*
| iplocation remoteAddr
| timechart count by user
When I dig further, I see that the "app" field value is always set to "nextcloud" and never gets the right app value from the nextcloud-log sourcetype (which are extracted from the script of the add-on). Then, I consulted the /opt/splunk/etc/apps/TA-nextcloud/default/props.conf and I see the following statement:
EVAL-app = "nextcloud"
What is the use of this statement? Is this a mistake/bug? Because I am considering overriding this value on the local directory.
Could you check which version of the add-on and which version of the app you have installed?
I think you have an older version of the app, but the latest version of the add-on.
In the latest version the query looks different.
The EVAL-app = "nextcloud" statement is not a bug or mistake, but is there to make the data CIM compatible. CIM (Common Information Model) is a data model that enables for example Splunk ES to make use of the data, and CIM makes use of a field named "app". Instead, the latest app (and add-on) renames the field name to "ncApp".
I guess the developer messed up by not making it clear when the add-on was updated that a requirement was that the app also be updated (assuming the above is the reason it isn't working for you).
The first line of SPL for the "Login activity over time" panel in the "User login activity" dashboard in v2.6.1 of the app looks like this:
sourcetype=TERM(nextcloud-log) ncApp=admin_audit message="Login successful*" user="$userToken1$" user="$user$" url!=TERM(*/ocs/v2.php/apps/serverinfo/api/v1/info)
and not like the line you have shown in your question.
Was the dashboard that didn't work ever modified before installing the latest app? If that is the case, the modified dashboard takes precedence and the new dashboards in the latest version of the app will not be used. You could try to move the dashboards in the "local" directory to somewhere safe, then restart the Splunk server to see if the default dashboard then works.