Deployment Monitor Forwarder Warnings

glancaster · ‎10-22-2013

So I check Deployment monitor daily to get a quick overview of my environment. What I'm seeing after I upgraded, is the 'dm missing forwarders' search that runs the Forwarder Warnings dashboard panel is reporting "3d ago" which is when I upgraded the app.

I checked the saved search 'dm missing forwarders' and verified the time range is set to Start time = -24h and Finish Time = now

Running it manually works fine but the dashboard panel reports "3d ago". Has anyone seen anything like this? Is there a way to purge the dashboard panels saved results?

ShaneNewman · ‎10-29-2013

The saved searches that power the dashboards should update on a regular basis. If you want to refresh them more often, go into the savedsearches.conf of that app and update the frequency of when the searches run to update the dashboards.

ShaneNewman · ‎10-29-2013

The module should look something like this:

    <module name="HiddenSavedSearch" layoutPanel="panel_row5_col1">
      <param name="savedSearch">_capsule_details_search</param>
      <param name="useHistory">True</param>

You will just need your savedsearch to be scheduled on a regular basis to ensure it doesn't keep grabbing the old search data.

glancaster · ‎10-29-2013

Hi Shane,

I appreciate the response. I can take the saved search and get the results I want in free form search, but when I was letting the dashboard populate it was stuck on a previous time range. Luckily I saved the previous version and was able to just revert back for the time being.

Deployment Monitor Forwarder Warnings

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases