I'm using the windows app in my splunk instance and for the moment I'm only monitoring a handful of pc's and there perfmon data. What seems to be the issue is that the hosts field doesn't update to reflect the new pc's being added. I can see the data and review it, I just cant go to the performance tab and see it in real time, and the total number of hosts is not updated on the performance tab. I checked the manual and there's very little info on this. anyone have any ideas? The data for splunk is being saved in the default directory as I have not changed this.
Much of the data controls on the dashboards are generated by lookups that are generated in the background.
For whatever reason either the lookups are not geting updated or they are not getting updated fast enough for you. You can check on this by going to "Settings -> Lookup Management"
From here you can also manually regenerate the lookups.
There is some documentation about this as well located here:
Well, the data itself is not the problem as I can go one of several places to view it, all this does is pull the most recent data for viewing as if I had searched for it specifically. What I want to be able to do is go under the performance tab in the windows app and see all hosts that I am monitoring data from show up, and have the hosts fields updated to reflect the correct total of hosts I am monitoring.
Yes, my point was that the dropdown on the dashboards is driven by these lookups. If the lookups and data are not generated, the dashboard will not show the data.
Did you rebuild thelookups? I will post a screen shot of what you should run.
I see, I will give that a shot. I ran into a license violation issue so Im waiting for that to clear up, hopefully I can get a reset license from support and I will give this a shot.
Well when I attempt to do the steps you outlined I just get an error saying no results. I had to wipe my splunk database for previous results for testing purposes, but now it appears to not identify any hosts at all
So is there no data at all? The lookup generation needs some data in order for it to generate the lookups. Did you by any chance change anything from the defaults? For example, is your windows data coming into a different index?
No I left all the data going into the default index. it definitely has data as I can still go out and search for it, it just wont populate in this field.
Actually I have figured this out, It appears that local performance metrics are collected under different names then remote collection logs, and the windows app isn't setup to process these, it looks as though I need to alter the values in searches and reports so that it does. This is a bit short sighted by the app designers, as this appears to be the same with virtually all of the collection metrics within the splunk windows app.