- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- action="*" not working in Splunk 6
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
action="*" not working in Splunk 6
Hello,
I am using Splunk for Squid in Splunk 6. I did notice that this app is not supported by Splunk 6, I hope that you will still be able to support this app in the latest version. The field extractions are working properly, but the dashboard elements are not populating properly. Specific, this search returns no results:
search sourcetype="squid" action="*" | eval reqcount=1 | timechart per_second(reqcount) by action
causing the dashboard elements to not populate. For some reason when you add action="*" the query does not return any results. Any support would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I found a workaround for this issue. I modified the app's reports so they were looking for action="TCP*". This allowed the dashboards to be populated. I think some of my other apps were causing the problem.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I just checked and I do have TA-pfsense installed.
http://apps.splunk.com/app/1527/
My understanding was that because the folder name for Splunk on Squid started with a letter 'S' it would have precedence over the TA-pfsense transforms.conf, correct?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Oh - yeah, that could definitely be possible. If you could verify this that would be great.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just so you are aware, I also have the TA-pfsense app installed which might also be trying to parse the squid logs. Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the feedback - I'll try to reproduce the problem on my end and keep you updated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The other fields are being extracted properly. I noticed that this query did not work:
search sourcetype="squid" action="*" | eval reqcount=1 | timechart per_second(reqcount) by action
But this did work:
sourcetype="squid" | search action="*" | eval reqcount=1 | timechart per_second(reqcount) by action
By adding the search action="*" it was able to query correctly. With this knowledge I could modify the app, but it makes sense to find the root of the issue.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There's no reason why the app wouldn't work with Splunk 6. It doesn't make use of any 5.x/6.x features but nothing should break. Are other fields extracted properly (I highly doubt they are)? The ones listed in the "Documentation" tab here: http://apps.splunk.com/app/453/
If not I suspect your Squid logs are in another format than what is expected by the app.
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
