All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Why doesn't the SolarWinds Add-on for Splunk always process all imported data?

shudv_2
New Member
‎04-09-2018 01:02 AM

I have successfully setup the add-on (as I thought).
I have setup the app with a query that runs every 24 hours and gets all the subnets from IPAM Solarwinds.
And it worked for a couple of days.
But one day I noticed that out of 1267 nets available in IPAM it imported only 215. Yet the other day it imported all of the nets successfully.
Checking my query with SWQL Studio always returned all the available 1267 subnets. So I believe it is not the query problem.
If a disable and enable the input I created in the add-on (to rerun it) after one or two hits it imports all the subnets. That's very odd.
Turning on debugging and examining the add-on log did not reveal any errors. The output is just the same when it gets all the records and when it doesn't.
The other strange thing I noticed is that when I enable the input and look at the Splunk search in real-time I see the following "215 of 1267 events matched". That is what I see when not all of the events get imported from IPAM.
Could you some help.
Thanks in advance!

0 Karma
Reply

niemesrw
Path Finder
‎07-25-2018 12:37 PM

I have an identical one running in a python script that returns around 26k values, however the exact same query in the app only returns around 14k values. I also enabled debug logging & don't see any errors.

My query is as follows:
SELECT IPAddress AS ip, SubnetId, DhcpClientName as dns, ToLower(MAC) AS mac FROM IPAM.IPNode WHERE mac IS NOT NULL

Python code:
qr = swis.query("SELECT IPAddress AS ip, SubnetId, DhcpClientName as dns, ToLower(MAC) AS mac FROM IPAM.IPNode WHERE mac IS NOT NULL")

Any advice on next steps to troubleshoot would be appreciated.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...