All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

vpc_flow_logs_traffic and vpc_flow_logs_security dashboards not populating

yannK
Splunk Employee
Splunk Employee
‎05-03-2017 11:43 AM

I collect my vpc logs using the aws addon :
sourcetype=aws:cloudwatchlogs:vpcflow
index=myvpclogs
I can see the data in my index.

but my dashboards in the aws app on the vpc logs do not populate : vpc_flow_logs_traffic and vpc_flow_logs_security
look like the search is looking for data in index=aws_vpc_flow_logs

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎05-03-2017 11:45 AM

The problem was my custom index

  • I was collecting vpc logs in the index myvpclogs
  • 3 scheduled summary searches are searching for the sourcetype aws:cloudwatchlogs:vpcflow and generate summarized data in the index=aws_vpc_flow_logs
  • the VPC dashboard are populated by a search looking in a summary index=aws_vpc_flow_logs

Because my index was custom and not searched by default, the summary search didn't see my data.
The workaround was to edit the macro aws-vpc-flow-sourcetype to add the index list in a condition. "index=myvpclogs"
Then the summary searches are now able to see the data, and the dashboard populates.

View solution in original post

Reply
Solved! Jump to solution

dandu1008
New Member
‎03-09-2018 08:07 PM

Hi yannk,

I am stuck with exact same issue, could you please give the detail steps how you resolved this.
But I have not given any custom index name, I've chosen default as index. I able to query data in search but data is not populating in VPC security dashboards.
Where do I need change configurations?

0 Karma
Reply
Solved! Jump to solution

p_gurav
Champion
‎03-10-2018 03:47 AM

Try changing summary searches with your default index.

0 Karma
Reply
Solved! Jump to solution

yannK
Splunk Employee
Splunk Employee
‎03-12-2018 01:44 PM

Have you edited the macro to add the index in it as a condition ?

The workaround was to edit the macro aws-vpc-flow-sourcetype to add the index list in a condition. "index=myvpclogs"

0 Karma
Reply
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎05-03-2017 11:45 AM

The problem was my custom index

  • I was collecting vpc logs in the index myvpclogs
  • 3 scheduled summary searches are searching for the sourcetype aws:cloudwatchlogs:vpcflow and generate summarized data in the index=aws_vpc_flow_logs
  • the VPC dashboard are populated by a search looking in a summary index=aws_vpc_flow_logs

Because my index was custom and not searched by default, the summary search didn't see my data.
The workaround was to edit the macro aws-vpc-flow-sourcetype to add the index list in a condition. "index=myvpclogs"
Then the summary searches are now able to see the data, and the dashboard populates.

Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...