Hi all,
I’ve recently encountered several challenges since migrating to Splunk Mission Control (MS) and would appreciate any guidance or insights.
Summary of Issues:
We had a dashboard set up to pull all the data needed for our monthly report. Since switching to MS, all those dashboards are broken with errors like:
"Could not find object id="*.
I recreated the dashboard with new searches, which initially worked fine and allowed report creation. However, when revisiting the new dashboard, most searches now fail or return no results within the expected time frame, despite previously working and being used in the latest report.
Several items such as charts for "top hosts (consolidated)" and "top hosts" that were available under Security Domain > Network > Exec View are now missing post-migration.
Search Aborts and Resource Issues:
One major problem is searches being aborted with SVC errors. After contacting the customer, workload restrictions on my account were lifted, but searches still fail due to resource usage.
Even limiting searches to a single day results in failures, and this has become quite frustrating.
Example Problem with Macros and Searches:
The macro sim_licensing_summary_base appears to be missing since moving to MS, and even the customer cannot locate it.
The following search, intended to replicate the macro’s function, returns incomplete results after 2025-04-10 without any errors in the job manager:
(host=*.*splunk*.* NOT host=sh*.*splunk*.* index=_telemetry source=*license_usage_summary.log* type="RolloverSummary") | bin _time span=1d | stats latest(b) AS b by slave, pool, _time | timechart span=1d sum(b) AS "volume" fixedrange=true | eval GB=round((volume / 1073741824),3) | fields - b, volume | stats avg/max(GB)
Additional Notes:
Has anyone else experienced similar problems after switching to Mission Control? Any advice on troubleshooting these dashboard errors, missing macros, or search aborts would be greatly appreciated.
