Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk dashboard "could not create search" on external network

jadengoho
Builder
‎07-19-2019 04:50 PM

Hi All,
I have a Splunk environment which works internally using the IP address.
But when I tried accessing it externally on a site -sometimes dashboards are working and sometimes it's not showing anything just "Could not create search".
Is this caused by a network issue or Splunk configuration file?
Jobs are randomly stopped and show "502 error" on network inspect element.

alt text

Preview file
1 KB
Reply

esix_splunk
Splunk Employee
Splunk Employee
‎07-30-2019 11:30 PM

Most likely this is related to either a load balancer or application firewall/filter you are going through when you access this externally. Generally we recommend that in the case of load balancers, that you make sure sticky sessions are enabled or that you disable application filtering for the Splunk base urls.

0 Karma
Reply

jadengoho
Builder
‎07-31-2019 11:20 PM

Hi, esix,
What do you mean by "sticky sessions are enabled".
And how can I disable application filtering for Splunk base URL?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-26-2019 01:47 AM

Hi jadengoho,
some very stupid questions:

  • when you say "sometimes", are you saying that the same dashboard, sometimes run and sometimes goes in error or that any dashboards (always the same) go in error and any always run?
  • did you verified in your dashboard that all the configurations use IP address and not hostnames?

Bye.
Giuseppe

0 Karma
Reply

jadengoho
Builder
‎07-26-2019 03:12 AM

when you say "sometimes", are you saying that the same dashboard, sometimes runs and sometimes goes in error or that any dashboards (always the same) go in error and any always run? - sometimes panels works, sometimes not.. It always happens

did you verify in your dashboard that all the configurations use IP address and not hostnames? Yes we tried using IP address same issue

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-26-2019 03:42 AM

Hi jadengoho,
did you find the differences between the two kind of panels?
Bye.
Giuseppe

0 Karma
Reply

jadengoho
Builder
‎07-29-2019 05:25 PM

External Site: All panels show this error.
Internal Site: No error Exist.

We suspect that the error occurs on the load balancer or the firewall.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-30-2019 01:30 AM

Hi jadengoho,
are there firewalls between splunk servers?
anyway you can test the open ports between servers.

Why do you use a load balancer between Search Heads and Indexers? you don't need them: Splunk has auto load balancing features.

Bye.
Giuseppe

0 Karma
Reply

jawaharas
Motivator
‎07-25-2019 10:28 PM

Should be a network issue. Is it happening even if you try from different network (say your mobile network instead of WiFi) ?

0 Karma
Reply

jadengoho
Builder
‎07-26-2019 03:13 AM

Same network, but using the external address still shows the issue.

0 Karma
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...