All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

vpc_flow_logs_traffic and vpc_flow_logs_security dashboards not populating

yannK
Splunk Employee
Splunk Employee
‎05-03-2017 11:43 AM

I collect my vpc logs using the aws addon :
sourcetype=aws:cloudwatchlogs:vpcflow
index=myvpclogs
I can see the data in my index.

but my dashboards in the aws app on the vpc logs do not populate : vpc_flow_logs_traffic and vpc_flow_logs_security
look like the search is looking for data in index=aws_vpc_flow_logs

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎05-03-2017 11:45 AM

The problem was my custom index

  • I was collecting vpc logs in the index myvpclogs
  • 3 scheduled summary searches are searching for the sourcetype aws:cloudwatchlogs:vpcflow and generate summarized data in the index=aws_vpc_flow_logs
  • the VPC dashboard are populated by a search looking in a summary index=aws_vpc_flow_logs

Because my index was custom and not searched by default, the summary search didn't see my data.
The workaround was to edit the macro aws-vpc-flow-sourcetype to add the index list in a condition. "index=myvpclogs"
Then the summary searches are now able to see the data, and the dashboard populates.

View solution in original post

Reply
Solved! Jump to solution

dandu1008
New Member
‎03-09-2018 08:07 PM

Hi yannk,

I am stuck with exact same issue, could you please give the detail steps how you resolved this.
But I have not given any custom index name, I've chosen default as index. I able to query data in search but data is not populating in VPC security dashboards.
Where do I need change configurations?

0 Karma
Reply
Solved! Jump to solution

p_gurav
Champion
‎03-10-2018 03:47 AM

Try changing summary searches with your default index.

0 Karma
Reply
Solved! Jump to solution

yannK
Splunk Employee
Splunk Employee
‎03-12-2018 01:44 PM

Have you edited the macro to add the index in it as a condition ?

The workaround was to edit the macro aws-vpc-flow-sourcetype to add the index list in a condition. "index=myvpclogs"

0 Karma
Reply
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎05-03-2017 11:45 AM

The problem was my custom index

  • I was collecting vpc logs in the index myvpclogs
  • 3 scheduled summary searches are searching for the sourcetype aws:cloudwatchlogs:vpcflow and generate summarized data in the index=aws_vpc_flow_logs
  • the VPC dashboard are populated by a search looking in a summary index=aws_vpc_flow_logs

Because my index was custom and not searched by default, the summary search didn't see my data.
The workaround was to edit the macro aws-vpc-flow-sourcetype to add the index list in a condition. "index=myvpclogs"
Then the summary searches are now able to see the data, and the dashboard populates.

Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...