I have the Splunk TA for Linux deployed to my two test servers and their conmfiguration is what is sending the data through to the main index: I had to manually change the permissions on the .sh and .py files due to my deployment server being a Windows box, but they are both sending all the expected telemetry from the SUF and TA to the main index. ...I had assumed, as the indexer was Windows, that it would not need the TA, but I will try that next - thanks!
... View more
I have installed (several times) the Splunk App for Unix (*nix) Version 6.0.1. I have changed the default index in the settings to use the index=main by editing the related search Macro. I have configured the SUFs 'downstream' to send data to the main index and I can see all the data arriving in the index as expected. Note this is installed on a Splunk dedicated single instance running version 8.1.3 (Enterprise On-Premises) In the settings section of the App, I can see the correct index is specified (main) and clicking on the various Preview button options returns valid data. See below for examples: Index Specification, and verify "Preview " selections: CPU data preview: DF Data Preview: Suffice it to say that all the other Preview buttons also return valid data. This would imply that the data is correctly configured and the applicaiton should be able to consume it. However, when I try and look at the dashboards of the app, they all remain free of any data, as can be seen from the screen captures below: I am kinda out of ideas. Anyone got anything? Cheers Chris
... View more