Dashboards & Visualizations

I'm indexing thousands of events from Sonicwall in Splunk 6.3, but why are summary dashboards not showing any data?

grantsmiley
Path Finder

I have a new Sonicwall indexing to Splunk 6.3. I have hundreds of thousands of events coming in from the Sonicwall every hour, however, the summary dashboards are all returning no data. My Sonicwall is sending very few events with a TID or template ID, and they're almost all ID 555. It appears most of the dashboards want to filter on TID, and there simply aren't any. I'm using the default syslog format on the Sonicwall, "Local Use 0" facility. I've tried with and without the "Override Syslog Settings with Reporting Software Settings". I'd like to keep that on as we have Sonicwall Analyzer set up as well. Is there another setting I'm missing in the firewall to get this to work?

1 Solution

grantsmiley
Path Finder

It turned out this was related to a customization that was made in the SonicWALL appliance itself. Reset it to factory defaults for logging and it worked fine

View solution in original post

chumneysplunk
New Member

I had a similar issue. I have syslog coming into splunk via UDP 514.

I was not getting any data into the Sonicwall Analytics App.

I found that the external collector was not configured.

Once I made sure Splunk was listening on port 2055, I then proceeded to setup the External Collector to use Splunk. All the data was visible via the Sonicwall Analytics app Dashboard(s) after the External Collector was setup.

0 Karma

grantsmiley
Path Finder

It turned out this was related to a customization that was made in the SonicWALL appliance itself. Reset it to factory defaults for logging and it worked fine

ConnorG
Path Finder

Was this done by importing the default logging levels? Or is there another setting to reset that I'm missing here?

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...