Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Cloudflare app for Splunk integration with Splunk Cloud. Help!

AJH2000
Explorer
‎03-14-2025 10:02 AM

Hello Splunk Community,

I have installed the Cloudflare for Splunk app on Splunk Cloud and have successfully configured Logpush to send logs from Cloudflare to Splunk following the official instructions. I have verified that the logs are arriving correctly in Splunk using search queries like:

https://splunkbase.splunk.com/app/4501

index=cloudflare | head 10

I can see the logs in the search results, confirming that data ingestion is working. However, when I open the Cloudflare for Splunk dashboards, they are empty, showing "No results found".

I've checked the following topics.

  1. Checked Data Arrival - Logs are arriving correctly in Splunk (index=cloudflare contains data).
  2. Confirmed Sourcetype - The logs are being assigned the expected sourcetype (cloudflare:access, cloudflare:network, etc.).
  3. Verified Time Range - Made sure the dashboards are set to a broad time range (Last 24 hours or All Time).
  4. Checked Permissions - Ensured that the user running the dashboards has access to the cloudflare index.
  5. Examined Dashboard Searches - Manually ran the searches used in the Cloudflare dashboards, but they returned no results.

Questions:

  • Has anyone faced this issue before?
  • Are there any known fixes or configuration adjustments required for the Cloudflare for Splunk dashboards to populate correctly?
  • Do I need to manually adjust field extractions or event types for the dashboards to work?

I appreciate any guidance or recommendations you can provide. Thanks in advance for your help!

Best regards,

Labels (5)
0 Karma
Reply

livehybrid
Super Champion
‎03-14-2025 02:35 PM

Hi @AJH2000 

I assume you havent adjusted the default macros in the app, so they are pointing to the same cloudflare index you mentioned (Which is the default).

There looks to be two types of search in the app dashboard - one which looks at the custom "cloudflare" datamodel and the other being adhoc searches against the cloudflare index.

The datamodel looks to have sourcetype=cloudflare:json - Can you confirm you have this?

Most of the sourcetype props in the app look to be search-time based, but there are some settings which are index-time parsing settings, such as line merging, truncation etc. You mentioned that you're using Splunk Cloud - is the data landing directly on Splunk Cloud or is it going via a HF beforehand? If so, please can you confirm if you have the TA installed on your HF(s) where the data lands?

If you could "open in search" one of the failing dashboard searches so that we can see whats going on then this might help further.

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

0 Karma
Reply

AJH2000
Explorer
‎03-14-2025 03:27 PM

Hi Will,

Yes, my Splunk index is named index=cloudflare, and I haven't adjusted any of the default macros—they still point directly to this default index.

I'm still relatively new to Splunk, so I was a bit confused by the cloudflare:json sourcetype. Currently, I'm receiving logs directly into Splunk Cloud via Cloudflare Logpush, with the following sourcetypes automatically assigned:

  • Zero Trust logs → cloudflare:access
  • DNS logs → cloudflare:dns
  • HTTP logs → cloudflare:http

I don't have events explicitly assigned to cloudflare:json. Do you know if I need this sourcetype specifically, or is it okay that my logs are using the specific types mentioned above?

I am using Splunk cloud and received this logs via Cloudflare Logpush.

Thanks again for your help—I appreciate your patience!

Regards,


AJH2000

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-14-2025 01:07 PM

Can you please share one or more of the manual dashboard searches you ran?  It's possible they have errors that prevent data from showing.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

AJH2000
Explorer
‎03-16-2025 11:08 AM

Hi

AJH2000_0-1742148204742.pngAJH2000_1-1742148288372.png

AJH2000_2-1742148407841.png

 

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-16-2025 12:19 PM

I asked for searches and you gave me screenshots of not searches.  How does that help you?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

AJH2000
Explorer
‎03-17-2025 03:34 AM

AJH2000_0-1742222037350.png

AJH2000_1-1742222051544.png

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-17-2025 04:54 AM

The first search is looking for non-empty AppDomain fields, but the second search shows the events do not have an AppDomain field at all.  That will keep the dashboard from displaying data.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

AJH2000
Explorer
‎03-17-2025 07:40 AM

Okay, thanks.

In this case, what steps do you recommend I take, and what would be the best way for me to modify my dashboard? What steps should I follow to find a solution?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-17-2025 10:08 AM

Investigate the data source to determine why it does not have the AppDomain field.  Perhaps it's not present and perhaps it's present under a different name.  For the latter, add an EVAL or FIELDALIAS definition to map the field to the expected name.

I advise against changing third-party dashboards.  Once you do that, it becomes your responsibility to keep the dashboard up-to-date.  Updating the app will not update the dashboard because it will be a local change that overrides the default that ships with the app.

---
If this reply helps you, Karma would be appreciated.
Reply

AJH2000
Explorer
‎03-17-2025 03:29 AM

Hi sorry for the screenshot before, Is this what you asked me for?

AJH2000_0-1742221734258.png

3/16/25
3:52:18.000 PM
{ [-]
   AccountID: aa8346d92df968cd0
   BytesReceived: 0
   BytesSent: 1260
   ClientTCPHandshakeDurationMs: 0
   ClientTLSCipher:
   ClientTLSHandshakeDurationMs: 0
   ClientTLSVersion: none
   ConnectionCloseReason: PROXY_CONN_REFUSED
   ConnectionReuse: false
   DestinationTunnelID: 8fcb-eb9c3e12
   DetectedProtocol:
   DeviceID: 12201bc8598d
   DeviceName: Dev
   EgressColoName:
   EgressIP: 
   EgressPort: 52772
   EgressRuleID: 00000000-0000-0000-0000-000000000000
   EgressRuleName:
   Email: 
   IngressColoName: ATL
   Offramp: CFD_TUNNEL
   OriginIP: 
   OriginPort: 
   OriginTLSCertificateIssuer:
   OriginTLSCertificateValidationResult: NONE
   OriginTLSCipher:
   OriginTLSHandshakeDurationMs: 0
   OriginTLSVersion: none
   Protocol: UDP
   RuleEvaluationDurationMs: 0
   SessionEndTime: 2025-03-16T19:50:03Z
   SessionID: 26421ab3fd000045601a91c400000001
   SessionStartTime: 2025-03-16T19:50:03Z
   SourceIP: 120.121.150.25
   SourceInternalIP:
   SourcePort: 52772
   UserID:
   VirtualNetworkID: 4497-9733-932d3b6b4e74
0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with William Searle

The Splunk Guy: A Developer’s Path from Web to Cloud William is a Splunk Professional Services Consultant with ...

Major Splunk Upgrade – Prepare your Environment for Splunk 10 Now!

Attention App Developers: Test Your Apps with the Splunk 10.0 Beta and Ensure Compatibility Before the ...

Stay Connected: Your Guide to June Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...
Top