Dashboards not working or have random gaps in info...

mwarvi · ‎12-04-2017

Since the upgrade to 6.0, including 6.0.1, the dashboards are more often not working than working for me.

In particular, the All Incidents dashboard seems to randomly stop being populated with data. For example, yesterday there's no information between 12pm and 6pm, and then today from 2am to 6am. I can confirm that there are incident type logs coming in the entire time, and that they are being parsed correctly. Data models are 100% and accelerated. During these gaps, the User Behavior dashboard also doesn't work.

As for other issues, the File Activity dashboard is always on "Waiting for data...", Endpoint and Firewall config is no results found, web activity is only loading Top Referrers and Methods over Time.

GlobalProtect, Firewall System and Real-Time seem to be working without an issue.

As stated before, the events are being tagged and parsed into the different event types fine. I'm just not sure where else to look.

darrenbisbey · ‎12-28-2017

i'm using 7.0 not 62

D.

nikita_p · ‎12-27-2017

Hi @mwarvi,
Can you check below answer in splunk if it helps you?
https://answers.splunk.com/answers/186429/splunk-62-upgrade-issue-users-can-no-longer-create.html

DalJeanis · ‎12-27-2017

Okay, one possibility is that your underlying searches are not being run, either because they are not set up correctly, or because they are taking too long and the next one gets skipped. Try something like this to test that...

 index=_internal source=*metrics.log group=searchscheduler 
| timechart partial=false span=10m sum(dispatched) sum(skipped)

darrenbisbey · ‎12-27-2017

GlobalProtect, Firewall System and Real-Time are working but as the above poster said. But all other dashboards not.

This was a fresh install.

Darren

Dashboards not working or have random gaps in information

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes