All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

vpc_flow_logs_traffic and vpc_flow_logs_security dashboards not populating

yannK
Splunk Employee
Splunk Employee
‎05-03-2017 11:43 AM

I collect my vpc logs using the aws addon :
sourcetype=aws:cloudwatchlogs:vpcflow
index=myvpclogs
I can see the data in my index.

but my dashboards in the aws app on the vpc logs do not populate : vpc_flow_logs_traffic and vpc_flow_logs_security
look like the search is looking for data in index=aws_vpc_flow_logs

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎05-03-2017 11:45 AM

The problem was my custom index

  • I was collecting vpc logs in the index myvpclogs
  • 3 scheduled summary searches are searching for the sourcetype aws:cloudwatchlogs:vpcflow and generate summarized data in the index=aws_vpc_flow_logs
  • the VPC dashboard are populated by a search looking in a summary index=aws_vpc_flow_logs

Because my index was custom and not searched by default, the summary search didn't see my data.
The workaround was to edit the macro aws-vpc-flow-sourcetype to add the index list in a condition. "index=myvpclogs"
Then the summary searches are now able to see the data, and the dashboard populates.

View solution in original post

Reply
Solved! Jump to solution

dandu1008
New Member
‎03-09-2018 08:07 PM

Hi yannk,

I am stuck with exact same issue, could you please give the detail steps how you resolved this.
But I have not given any custom index name, I've chosen default as index. I able to query data in search but data is not populating in VPC security dashboards.
Where do I need change configurations?

0 Karma
Reply
Solved! Jump to solution

p_gurav
Champion
‎03-10-2018 03:47 AM

Try changing summary searches with your default index.

0 Karma
Reply
Solved! Jump to solution

yannK
Splunk Employee
Splunk Employee
‎03-12-2018 01:44 PM

Have you edited the macro to add the index in it as a condition ?

The workaround was to edit the macro aws-vpc-flow-sourcetype to add the index list in a condition. "index=myvpclogs"

0 Karma
Reply
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎05-03-2017 11:45 AM

The problem was my custom index

  • I was collecting vpc logs in the index myvpclogs
  • 3 scheduled summary searches are searching for the sourcetype aws:cloudwatchlogs:vpcflow and generate summarized data in the index=aws_vpc_flow_logs
  • the VPC dashboard are populated by a search looking in a summary index=aws_vpc_flow_logs

Because my index was custom and not searched by default, the summary search didn't see my data.
The workaround was to edit the macro aws-vpc-flow-sourcetype to add the index list in a condition. "index=myvpclogs"
Then the summary searches are now able to see the data, and the dashboard populates.

Reply
Get Updates on the Splunk Community!

Get Schooled with Splunk Education: Explore Our Latest Courses

At Splunk Education, we’re dedicated to providing incredible learning experiences that cater to every skill ...

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL  The Splunk AI Assistant for SPL ...

Buttercup Games: Further Dashboarding Techniques (Part 5)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...