Hello Splunk Community,
I have installed the Cloudflare for Splunk app on Splunk Cloud and have successfully configured Logpush to send logs from Cloudflare to Splunk following the official instructions. I have verified that the logs are arriving correctly in Splunk using search queries like:
https://splunkbase.splunk.com/app/4501
index=cloudflare | head 10
I can see the logs in the search results, confirming that data ingestion is working. However, when I open the Cloudflare for Splunk dashboards, they are empty, showing "No results found".
I appreciate any guidance or recommendations you can provide. Thanks in advance for your help!
Best regards,
Hi @AJH2000
I assume you havent adjusted the default macros in the app, so they are pointing to the same cloudflare index you mentioned (Which is the default).
There looks to be two types of search in the app dashboard - one which looks at the custom "cloudflare" datamodel and the other being adhoc searches against the cloudflare index.
The datamodel looks to have sourcetype=cloudflare:json - Can you confirm you have this?
Most of the sourcetype props in the app look to be search-time based, but there are some settings which are index-time parsing settings, such as line merging, truncation etc. You mentioned that you're using Splunk Cloud - is the data landing directly on Splunk Cloud or is it going via a HF beforehand? If so, please can you confirm if you have the TA installed on your HF(s) where the data lands?
If you could "open in search" one of the failing dashboard searches so that we can see whats going on then this might help further.
Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards
Will
Hi Will,
Yes, my Splunk index is named index=cloudflare, and I haven't adjusted any of the default macros—they still point directly to this default index.
I'm still relatively new to Splunk, so I was a bit confused by the cloudflare:json sourcetype. Currently, I'm receiving logs directly into Splunk Cloud via Cloudflare Logpush, with the following sourcetypes automatically assigned:
I don't have events explicitly assigned to cloudflare:json. Do you know if I need this sourcetype specifically, or is it okay that my logs are using the specific types mentioned above?
I am using Splunk cloud and received this logs via Cloudflare Logpush.
Thanks again for your help—I appreciate your patience!
Regards,
AJH2000
Can you please share one or more of the manual dashboard searches you ran? It's possible they have errors that prevent data from showing.
Hi
I asked for searches and you gave me screenshots of not searches. How does that help you?
The first search is looking for non-empty AppDomain fields, but the second search shows the events do not have an AppDomain field at all. That will keep the dashboard from displaying data.
Okay, thanks.
In this case, what steps do you recommend I take, and what would be the best way for me to modify my dashboard? What steps should I follow to find a solution?
Investigate the data source to determine why it does not have the AppDomain field. Perhaps it's not present and perhaps it's present under a different name. For the latter, add an EVAL or FIELDALIAS definition to map the field to the expected name.
I advise against changing third-party dashboards. Once you do that, it becomes your responsibility to keep the dashboard up-to-date. Updating the app will not update the dashboard because it will be a local change that overrides the default that ships with the app.
Hi sorry for the screenshot before, Is this what you asked me for?
3/16/25 3:52:18.000 PM | { [-] AccountID: aa8346d92df968cd0 BytesReceived: 0 BytesSent: 1260 ClientTCPHandshakeDurationMs: 0 ClientTLSCipher: ClientTLSHandshakeDurationMs: 0 ClientTLSVersion: none ConnectionCloseReason: PROXY_CONN_REFUSED ConnectionReuse: false DestinationTunnelID: 8fcb-eb9c3e12 DetectedProtocol: DeviceID: 12201bc8598d DeviceName: Dev EgressColoName: EgressIP: EgressPort: 52772 EgressRuleID: 00000000-0000-0000-0000-000000000000 EgressRuleName: Email: IngressColoName: ATL Offramp: CFD_TUNNEL OriginIP: OriginPort: OriginTLSCertificateIssuer: OriginTLSCertificateValidationResult: NONE OriginTLSCipher: OriginTLSHandshakeDurationMs: 0 OriginTLSVersion: none Protocol: UDP RuleEvaluationDurationMs: 0 SessionEndTime: 2025-03-16T19:50:03Z SessionID: 26421ab3fd000045601a91c400000001 SessionStartTime: 2025-03-16T19:50:03Z SourceIP: 120.121.150.25 SourceInternalIP: SourcePort: 52772 UserID: VirtualNetworkID: 4497-9733-932d3b6b4e74 |