Good Day Team
I am hoping i can get assistance as this has been a problem for a long time now.
I have installed Pi-hole and Splunk Server the same hosted and they are working fine.
I am able to see Pihole logs on splunk, but my problem is that the dashboard is not showing the Pihole graphs and charts are not showing.
Could you anyone kindly assist.
Thanks in advance.
I realize this is an old question and unsure if you ever found a solution.
Assuming we're talking about the fhe Pi-Hole DNS App (https://splunkbase.splunk.com/app/4506/) I encountered the same problem trying to install it today. Data is there, sourcetype set to pihole as outlined in the documentation.
What I found was my issue was that Acceleration for the DNS data model was not enabled. Going to Settings -> Data models -> Network Resolution (DNS) and enabling it for Acceleration solved my dashboards (enabling Acceleration may take some time to build depending on the amount of data).
Another option is to edit the dashboards and remove the "summariesonly=t" from the tstats queries. I assume all dashboards will run slower when summaries are not enabled - which was solved by the Acceleration for me.
Are the logs sourcetyped correctly - are you able to post a screenshot?
The app is very basic, so there is not much to go wrong if the data is indexed correctly.
Hi Nick
I believe the source types and path are correct as I can see logs when i use the search and report feature, but when using the pihole app, nothing is pulled down.
Please find the attached image.
If possible could you provide me with a link where I can find the steps on how to setup the pihole app for splunk and have the graphs showing.
Regards
pardon me, I do not know the proper way to attached files or image links to pictures on my machine.
Lesegod
Could you copy the inputs file? And the search that's does show results?
Upload them to some online image host and then share the link. We cannot look at your C drive 😉
Also: that you can see data in search does not mean it is sourcetyped correctly. Just check the search behind the dashboard panels in the pihole app to see what index/sourcetype it is looking for and then confirm whether that is indeed matching what you have.
PS: which pihole app are we talking about here, because there are multiple in splunkbase.
Are you using TA-pihole: https://splunkbase.splunk.com/app/4121/
If so, that TA expects data to be index=pihole and sourcetype="dnsmasq"