All Apps and Add-ons

Sys-Health-Check Dashboard not populating

richardphung
Communicator

Looks like Network Overview, NetworkHealth + drilldowns, Link States, and Network Search are all populating correctly.

The Dashboard Panels under Sys-Health-Check are blank, with No Results.
External Table (TCAM) Counters, etc.

These are driven by the search (or similar):

index=extnet | rex "SysName:\s+(?<sysName>.*)\s+SysLocation" | rex "System\sMAC:\s+(?<sysMAC>\w{2}:\w{2}:\w{2}:\w{2}:\w{2}:\w{2})" | rex max_match=0 "(?<timeStamp>\d+/\d+/\d+\s+\d+:\d+:\d+\.\d+)\s+\<Warn:HAL\.Sys\.HCExtTbl\>\s+Slot-(?<slotNum>\w):\s+Sys-Health-Check:\sExternal\sTable" | fillnull value="Not Available" sysName | fillnull value="Not Available" sysMAC  | search slotNum=* | eval combiField=mvzip(timeStamp,slotNum) | mvexpand combiField | rex field=combiField "(?<time>.*),(?<slot>.*)" | convert mktime(time) AS time | where time>relative_time(now(),"-25y") |  dedup sysName,slot,time | stats count by sysName,sysMAC,slot | rename sysName AS "SysName" sysMAC AS "MAC Address" slot AS "Slot" count AS "Count"

Is there anything I need to do on the Collector config to get these events?

e.g. configure tech-support add collector [hostname | ip_address] tcp-port <port#> {ssl [on | off]}

Or has the syntax changed?
I noticed that:

\s+Slot-(?<slotNum>\w):\s+Sys-Health-Check:\sExternal\sTable

Doesn't return anything.

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...