Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

No data is getting displayed on dashboard

pratapa
Explorer
‎07-10-2020 04:19 AM

 

No data is getting displayed on the dashboard.

 

Following is the query.

index=main sourcetype=wms_oracle_sessions | bucket span=5m _time | stats count AS sessions by _time,warehouse,machine,program | sum(sessions) AS wsessions by _time,warehouse | timechart avg(wsessions) by warehouse

 

We know the reason for data not getting displayed on dashboard.

Sourcetype wms_oracle_sessions does not exist.

Does it help if we create the sourcetype  wms_oracle_sessions

Labels (1)
Labels
0 Karma
Reply

rabbidroid
Path Finder
‎08-17-2020 09:35 AM

Sourcetypes do not need to exist on the search head. Does the search return results if you remove everything after the raw search? (from the first pipe, till the end)

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-10-2020 05:21 AM

Hi @pratapa ,

sum sin't a Splunk command, it's a funtion to use in stats or timechart or other commands.

So you should rebuild your search in something like this:

index=main sourcetype=wms_oracle_sessions 
| bucket span=5m _time 
| stats count AS sessions by _time,warehouse,machine,program 
| timechart avg(sum(sessions)) by warehouse

or better (I cannot test it):

index=main sourcetype=wms_oracle_sessions 
| timechart span=5m avg(dc(program)) by warehouse

Ciao.

Giuseppe

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎07-10-2020 05:08 AM

Yes it helps with indexed data after you have assign that sourcetype to your data on ingestion phase. Old events still  haven’t that sourcetype attribute without reindexing it.

r.ismo

0 Karma
Reply

pratapa
Explorer
‎08-17-2020 03:24 AM

How to assi gn the sourcetype wms_oracle_sessions to the data on ingestion phase.

Tags (1)
0 Karma
Reply

pratapa
Explorer
‎07-15-2020 04:25 AM

We have created sourcetype wms_oracle_sessions but no luck.

No data is getting displayed on the dashboard

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-15-2020 04:37 AM

Hi @pratapa,

I see that your search is almost the same of answer https://community.splunk.com/t5/Getting-Data-In/Sourcetype-Missing/m-p/509256#M86624

maybe the solution for that answer could help you!

Ciao.

Giuseppe

0 Karma
Reply

yr
Loves-to-Learn Everything
‎07-21-2023 03:54 PM

Hi gcusello,

 

We have Splunk Add -on for AWS installed and configured and we also installed and configured the splunk apps for AWS security dashboard. and we created custom index.  But some how we do not see any data on security dashbnboard apps eventhough we see data when we do search outside the apps.

i read up and it says macro search has their own index and we need to change it. but i dont know where to change that index name in search macro.

any help is greatly appreciated.

we have splunk cloud 

thank 

yogesh

switchfly

Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-21-2023 10:57 PM

Hi @yr ,

the macto con be modified starting from that app in [Settings -> macro].

another solution could be to add you custom indexes to the default search path for the roles of the users that have to use this app: [Settings -> Roles -> <your_role>].

Ciao.

Giuseppe

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎07-21-2023 04:04 PM

Hi

if I recall right those macro names are told on instructions? If you couldn’t found those there then you could open Settings -> Advanced search. Then there are  macros link where you could found those. Correct macro is probably defined on AWS app not in TA side. Open it and just add there your index.

r. Ismo

0 Karma
Reply

yr
Loves-to-Learn Everything
‎07-22-2023 11:31 AM

Hello,

unfortunately, i could not see "advanced search" or "macro link" in our splunk cloud.

we have splunk cloud and deploy server to deploy apps and we request splunk support to install both apps (splun apps for aws and splunk apps for aws security dashboard). we created the custom index.

now we search our index on search window and it display the cloudtrail data as well as cloudwatch data. but security dashboard apps dow not pickup the data.

i understand we need to change the index from default index name to our custom index name.

questions:

1. what is installed patch location of apps ?

2. which conf file to update for index?

3. can you please share some screen shots generic please

thank you

 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎07-22-2023 01:18 PM

I’m not sure which role you are needing to see that. I can see it with sc_admin role and I am expecting that it works at least with power role.

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...