Ouch!! After a few hours of troubleshooting it is the simplest thing that gets you... Apparently the extra validation from Splunk v6.2 does not like the grouping=7 attribute shown in the code snippet below. By deleting that attribute from the dashboard it fixes the issue. I hope to release an update to the app this weekend which will solve this and update the report at the same time.
<dashboard stylesheet="custom.css">
<label>FireEye Analytics</label>
<row grouping="7">
<panel>
<single>
To help assist others in troubleshooting, this is the process I followed:
Check the date on the Splunkbox:
============================
date
Sun Aug 23 10:03:04 EDT 2015
Setup reporting:
=============
Help -> Setup
Enabled the report, adjusted the cron schedule
Artifacts:
=======
Setup modifies the following file, but you cannot modify the file with a text editor and expect cron to kick off:
/opt/splunk/etc/apps/FireEyev3/local/savedsearches.conf
Splunk log file:
tail -f /opt/splunk/var/log/splunk/python.log
2015-08-23 10:04:01,715 -0400 INFO sendemail:948 - sendemail pdfService = pdfgen
2015-08-23 10:04:01,716 -0400 INFO sendemail:1072 - sendemail:mail effectiveTime=1440338640
2015-08-23 10:04:02,187 -0400 INFO pdfgen_endpoint:400 - pdf time-of-report=1440338640.0
2015-08-23 10:04:07,509 -0400 INFO sendemail:1095 - Generated PDF for email
2015-08-23 10:08:47,828 -0400 INFO sendemail:109 - Sending email. subject="Splunk Report: Daily Analytics Report", results_link="httpx://splunkbox:443/app/FireEye_v3/@go?sid=scheduler_nobody_RmlyZUV5ZV92Mw_RMD592c3f775b24f7408_at_1440338640_1", recipients="[u'Tony.Lee -at- fireeye. com']"
Mail log file:
tail -f /var/log/maillog
Aug 23 10:08:47 splunkbox sendmail[25238]: t7NE47pY025238: from=, size=16929, class=0, nrcpts=1, msgid=201508231408.t7NE47pY025238@DN-SPLUNK-01, proto=ESMTP, daemon=MTA, relay=localhost [127.0.0.1]
Aug 23 10:08:47 splunkbox sendmail[25238]: t7NE47pY025238: to=, delay=00:00:00, mailer=esmtp, pri=46929, dsn=4.4.3, stat=queued
Gotchas:
=======
Splunk must be restarted every time the analytics report file changes - Painful...
The cron job must be edited from the GUI to take affect
... View more