Getting Data In

No data is getting displayed on dashboard

pratapa
Explorer

 

No data is getting displayed on the dashboard.

 

Following is the query.

index=main sourcetype=wms_oracle_sessions | bucket span=5m _time | stats count AS sessions by _time,warehouse,machine,program | sum(sessions) AS wsessions by _time,warehouse | timechart avg(wsessions) by warehouse

 

We know the reason for data not getting displayed on dashboard.

Sourcetype wms_oracle_sessions does not exist.

Does it help if we create the sourcetype  wms_oracle_sessions

Labels (1)
0 Karma

rabbidroid
Path Finder

Sourcetypes do not need to exist on the search head. Does the search return results if you remove everything after the raw search? (from the first pipe, till the end)

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @pratapa ,

sum sin't a Splunk command, it's a funtion to use in stats or timechart or other commands.

So you should rebuild your search in something like this:

index=main sourcetype=wms_oracle_sessions 
| bucket span=5m _time 
| stats count AS sessions by _time,warehouse,machine,program 
| timechart avg(sum(sessions)) by warehouse

or better (I cannot test it):

index=main sourcetype=wms_oracle_sessions 
| timechart span=5m avg(dc(program)) by warehouse

Ciao.

Giuseppe

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Yes it helps with indexed data after you have assign that sourcetype to your data on ingestion phase. Old events still  haven’t that sourcetype attribute without reindexing it.

r.ismo

0 Karma

pratapa
Explorer

How to assi gn the sourcetype wms_oracle_sessions to the data on ingestion phase.

Tags (1)
0 Karma

pratapa
Explorer

We have created sourcetype wms_oracle_sessions but no luck.

No data is getting displayed on the dashboard

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @pratapa,

I see that your search is almost the same of answer https://community.splunk.com/t5/Getting-Data-In/Sourcetype-Missing/m-p/509256#M86624

maybe the solution for that answer could help you!

Ciao.

Giuseppe

0 Karma

yr
Loves-to-Learn Everything

Hi gcusello,

 

We have Splunk Add -on for AWS installed and configured and we also installed and configured the splunk apps for AWS security dashboard. and we created custom index.  But some how we do not see any data on security dashbnboard apps eventhough we see data when we do search outside the apps.

i read up and it says macro search has their own index and we need to change it. but i dont know where to change that index name in search macro.

any help is greatly appreciated.

we have splunk cloud 

thank 

yogesh

switchfly

Tags (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @yr ,

the macto con be modified starting from that app in [Settings -> macro].

another solution could be to add you custom indexes to the default search path for the roles of the users that have to use this app: [Settings -> Roles -> <your_role>].

Ciao.

Giuseppe

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

if I recall right those macro names are told on instructions? If you couldn’t found those there then you could open Settings -> Advanced search. Then there are  macros link where you could found those. Correct macro is probably defined on AWS app not in TA side. Open it and just add there your index.

r. Ismo

0 Karma

yr
Loves-to-Learn Everything

Hello,

unfortunately, i could not see "advanced search" or "macro link" in our splunk cloud.

we have splunk cloud and deploy server to deploy apps and we request splunk support to install both apps (splun apps for aws and splunk apps for aws security dashboard). we created the custom index.

now we search our index on search window and it display the cloudtrail data as well as cloudwatch data. but security dashboard apps dow not pickup the data.

i understand we need to change the index from default index name to our custom index name.

questions:

1. what is installed patch location of apps ?

2. which conf file to update for index?

3. can you please share some screen shots generic please

thank you

 

0 Karma

isoutamo
SplunkTrust
SplunkTrust

I’m not sure which role you are needing to see that. I can see it with sc_admin role and I am expecting that it works at least with power role.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...