Dashboards & Visualizations
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Cloudflare app for Splunk integration with Splunk Cloud. Help!

AJH2000
Explorer
4 weeks ago

Hello Splunk Community,

I have installed the Cloudflare for Splunk app on Splunk Cloud and have successfully configured Logpush to send logs from Cloudflare to Splunk following the official instructions. I have verified that the logs are arriving correctly in Splunk using search queries like:

https://splunkbase.splunk.com/app/4501

index=cloudflare | head 10

I can see the logs in the search results, confirming that data ingestion is working. However, when I open the Cloudflare for Splunk dashboards, they are empty, showing "No results found".

I've checked the following topics.

  1. Checked Data Arrival - Logs are arriving correctly in Splunk (index=cloudflare contains data).
  2. Confirmed Sourcetype - The logs are being assigned the expected sourcetype (cloudflare:access, cloudflare:network, etc.).
  3. Verified Time Range - Made sure the dashboards are set to a broad time range (Last 24 hours or All Time).
  4. Checked Permissions - Ensured that the user running the dashboards has access to the cloudflare index.
  5. Examined Dashboard Searches - Manually ran the searches used in the Cloudflare dashboards, but they returned no results.

Questions:

  • Has anyone faced this issue before?
  • Are there any known fixes or configuration adjustments required for the Cloudflare for Splunk dashboards to populate correctly?
  • Do I need to manually adjust field extractions or event types for the dashboards to work?

I appreciate any guidance or recommendations you can provide. Thanks in advance for your help!

Best regards,

Labels (5)
0 Karma
Reply

livehybrid
Influencer
3 weeks ago

Hi @AJH2000 

I assume you havent adjusted the default macros in the app, so they are pointing to the same cloudflare index you mentioned (Which is the default).

There looks to be two types of search in the app dashboard - one which looks at the custom "cloudflare" datamodel and the other being adhoc searches against the cloudflare index.

The datamodel looks to have sourcetype=cloudflare:json - Can you confirm you have this?

Most of the sourcetype props in the app look to be search-time based, but there are some settings which are index-time parsing settings, such as line merging, truncation etc. You mentioned that you're using Splunk Cloud - is the data landing directly on Splunk Cloud or is it going via a HF beforehand? If so, please can you confirm if you have the TA installed on your HF(s) where the data lands?

If you could "open in search" one of the failing dashboard searches so that we can see whats going on then this might help further.

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

0 Karma
Reply

AJH2000
Explorer
3 weeks ago

Hi Will,

Yes, my Splunk index is named index=cloudflare, and I haven't adjusted any of the default macros—they still point directly to this default index.

I'm still relatively new to Splunk, so I was a bit confused by the cloudflare:json sourcetype. Currently, I'm receiving logs directly into Splunk Cloud via Cloudflare Logpush, with the following sourcetypes automatically assigned:

  • Zero Trust logs → cloudflare:access
  • DNS logs → cloudflare:dns
  • HTTP logs → cloudflare:http

I don't have events explicitly assigned to cloudflare:json. Do you know if I need this sourcetype specifically, or is it okay that my logs are using the specific types mentioned above?

I am using Splunk cloud and received this logs via Cloudflare Logpush.

Thanks again for your help—I appreciate your patience!

Regards,


AJH2000

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
3 weeks ago

Can you please share one or more of the manual dashboard searches you ran?  It's possible they have errors that prevent data from showing.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

AJH2000
Explorer
3 weeks ago

Hi

AJH2000_0-1742148204742.pngAJH2000_1-1742148288372.png

AJH2000_2-1742148407841.png

 

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
3 weeks ago

I asked for searches and you gave me screenshots of not searches.  How does that help you?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

AJH2000
Explorer
3 weeks ago

AJH2000_0-1742222037350.png

AJH2000_1-1742222051544.png

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
3 weeks ago

The first search is looking for non-empty AppDomain fields, but the second search shows the events do not have an AppDomain field at all.  That will keep the dashboard from displaying data.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

AJH2000
Explorer
3 weeks ago

Okay, thanks.

In this case, what steps do you recommend I take, and what would be the best way for me to modify my dashboard? What steps should I follow to find a solution?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
3 weeks ago

Investigate the data source to determine why it does not have the AppDomain field.  Perhaps it's not present and perhaps it's present under a different name.  For the latter, add an EVAL or FIELDALIAS definition to map the field to the expected name.

I advise against changing third-party dashboards.  Once you do that, it becomes your responsibility to keep the dashboard up-to-date.  Updating the app will not update the dashboard because it will be a local change that overrides the default that ships with the app.

---
If this reply helps you, Karma would be appreciated.
Reply

AJH2000
Explorer
3 weeks ago

Hi sorry for the screenshot before, Is this what you asked me for?

AJH2000_0-1742221734258.png

3/16/25
3:52:18.000 PM
{ [-]
   AccountID: aa8346d92df968cd0
   BytesReceived: 0
   BytesSent: 1260
   ClientTCPHandshakeDurationMs: 0
   ClientTLSCipher:
   ClientTLSHandshakeDurationMs: 0
   ClientTLSVersion: none
   ConnectionCloseReason: PROXY_CONN_REFUSED
   ConnectionReuse: false
   DestinationTunnelID: 8fcb-eb9c3e12
   DetectedProtocol:
   DeviceID: 12201bc8598d
   DeviceName: Dev
   EgressColoName:
   EgressIP: 
   EgressPort: 52772
   EgressRuleID: 00000000-0000-0000-0000-000000000000
   EgressRuleName:
   Email: 
   IngressColoName: ATL
   Offramp: CFD_TUNNEL
   OriginIP: 
   OriginPort: 
   OriginTLSCertificateIssuer:
   OriginTLSCertificateValidationResult: NONE
   OriginTLSCipher:
   OriginTLSHandshakeDurationMs: 0
   OriginTLSVersion: none
   Protocol: UDP
   RuleEvaluationDurationMs: 0
   SessionEndTime: 2025-03-16T19:50:03Z
   SessionID: 26421ab3fd000045601a91c400000001
   SessionStartTime: 2025-03-16T19:50:03Z
   SourceIP: 120.121.150.25
   SourceInternalIP:
   SourcePort: 52772
   UserID:
   VirtualNetworkID: 4497-9733-932d3b6b4e74
0 Karma
Reply
Get Updates on the Splunk Community!

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...
li.common.scroll-to.top