All Apps and Add-ons
Highlighted

action="*" not working in Splunk 6

Path Finder

Hello,

I am using Splunk for Squid in Splunk 6. I did notice that this app is not supported by Splunk 6, I hope that you will still be able to support this app in the latest version. The field extractions are working properly, but the dashboard elements are not populating properly. Specific, this search returns no results:

search sourcetype="squid" action="*" | eval reqcount=1 | timechart per_second(reqcount) by action

causing the dashboard elements to not populate. For some reason when you add action="*" the query does not return any results. Any support would be appreciated.

0 Karma
Highlighted

Re: action="*" not working in Splunk 6

Legend

There's no reason why the app wouldn't work with Splunk 6. It doesn't make use of any 5.x/6.x features but nothing should break. Are other fields extracted properly (I highly doubt they are)? The ones listed in the "Documentation" tab here: http://apps.splunk.com/app/453/

If not I suspect your Squid logs are in another format than what is expected by the app.

0 Karma
Highlighted

Re: action="*" not working in Splunk 6

Path Finder

The other fields are being extracted properly. I noticed that this query did not work:

search sourcetype="squid" action="*" | eval reqcount=1 | timechart per_second(reqcount) by action

But this did work:

sourcetype="squid" | search action="*" | eval reqcount=1 | timechart per_second(reqcount) by action

By adding the search action="*" it was able to query correctly. With this knowledge I could modify the app, but it makes sense to find the root of the issue.

0 Karma
Highlighted

Re: action="*" not working in Splunk 6

Legend

Thanks for the feedback - I'll try to reproduce the problem on my end and keep you updated.

0 Karma
Highlighted

Re: action="*" not working in Splunk 6

Path Finder

Just so you are aware, I also have the TA-pfsense app installed which might also be trying to parse the squid logs. Thanks!

0 Karma
Highlighted

Re: action="*" not working in Splunk 6

Legend

Oh - yeah, that could definitely be possible. If you could verify this that would be great.

0 Karma
Highlighted

Re: action="*" not working in Splunk 6

Path Finder

I just checked and I do have TA-pfsense installed.

http://apps.splunk.com/app/1527/

My understanding was that because the folder name for Splunk on Squid started with a letter 'S' it would have precedence over the TA-pfsense transforms.conf, correct?

0 Karma
Highlighted

Re: action="*" not working in Splunk 6

Path Finder

I found a workaround for this issue. I modified the app's reports so they were looking for action="TCP*". This allowed the dashboards to be populated. I think some of my other apps were causing the problem.

0 Karma