Splunk Enterprise

Upgraded SH to 8.1.9, and Monitory Console doesn't see anything under Overview

mello920
Path Finder

Hello,

I upgraded our office's Search Head (SH) to 8.1.9 from 8.0.4. On the previous version, MC wouldn't even load. Now that it does, the Overview Window just says "Searching for..." (See screenshot below). But I can do a search for my indexer or forwarder and other events in the Search App. Not sure what I am missing with the MC setup. Other tabs like the Health Check work.

Any suggestions or help are greatly appreciated! Thank you very much.

 

V/r,

mello920

 

MC Error.png

Labels (3)
0 Karma
1 Solution

mello920
Path Finder

Rest API Calls were blocked by our WAF. Once they were unblocked, the monitoring console started behaving as normal.

View solution in original post

0 Karma

mello920
Path Finder

Rest API Calls were blocked by our WAF. Once they were unblocked, the monitoring console started behaving as normal.

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Good to find the real root cause.

FYI: there are one another same kind of MC issue on 8.1.9 Monitoring Console issues where it shows some values as N/A instead of correct ones.

r. Ismo

mello920
Path Finder

Hello,

I have access to the internal indexes, instances are up and everything is configured correctly in the 'Setup' page. Everything's working, data is being indexed and I can search the data. Nothing in the splunkd.logs stands out. I compared the MC settings to our production environment, and they match this "test" enviroment.

Could it be resource issue? I noticed that the Prod Env has twice the cpu/memory as the Test Env that I'm trying to get working.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Yes, it could be a resources problem.  The MC is a search head and, as such, needs sufficient resources to function.  Also, the indexers need sufficient resources to process searches generated by the MC.

---
If this reply helps you, Karma would be appreciated.
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Do you have access to the internal indexes?  The MC gets its data from them.

Have you followed the suggestions in the displayed error message?  Have you checked splunkd.log?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...