All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Technology Inventory Add-on for Splunk: Why aren't events searchable and pre-built panels are coming up empty?

jheadley
Explorer
‎10-12-2018 10:50 AM

We would like to use the Technology Inventory Add-on for Splunk, but we can't seem to get the prebuilt panels to populate. We see events in Splunk from Splunk's Linux add-on for the 5 scripts mentioned in Technology Inventory Add-on for Splunk's Complete List documentation, but searching for "techinventory_indexes tag=inventory" returns no results and the pre-built panels are empty.

I didn't think I missed any configuration steps, but perhaps I did?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sloshburch
Splunk Employee
Splunk Employee
‎10-15-2018 10:10 AM

Hi! Thanks for providing the feedback! I see the documentation doesn't elaborate on indexes as much as I would have liked, so let's see if we can sort this out and then I'll make an update accordingly.

macro techinventory_indexes is defined as other macros which ultimately bring us to index=os and index=windows. It's possible the data you are collecting is merely in other indexes. Is this as simple as adding your index to the respective macros?

Specifically, find what indexes your inputs are sending the data to, then add those indexes to either windows_indexes OR unix_indexes macros.

If that isn't the problem then this could be an issue with the sourcetypes having been updated in recent updates to the dependent TAs. But let's start with the former first.

View solution in original post

Reply
Solved! Jump to solution
Solution

sloshburch
Splunk Employee
Splunk Employee
‎10-15-2018 10:10 AM

Hi! Thanks for providing the feedback! I see the documentation doesn't elaborate on indexes as much as I would have liked, so let's see if we can sort this out and then I'll make an update accordingly.

macro techinventory_indexes is defined as other macros which ultimately bring us to index=os and index=windows. It's possible the data you are collecting is merely in other indexes. Is this as simple as adding your index to the respective macros?

Specifically, find what indexes your inputs are sending the data to, then add those indexes to either windows_indexes OR unix_indexes macros.

If that isn't the problem then this could be an issue with the sourcetypes having been updated in recent updates to the dependent TAs. But let's start with the former first.

Reply
Solved! Jump to solution

jheadley
Explorer
‎10-16-2018 10:58 AM

Thank you, that seems to have resolved it. Changed it to "( index=os OR index=main )" and data started showing up in the dashboard panels.

0 Karma
Reply
Solved! Jump to solution

sloshburch
Splunk Employee
Splunk Employee
‎10-17-2018 11:43 AM

Huzzah! I've created a bug item to keep track of the gap in documentation as well. Thanks for asking and bringing this gap to my attention!

0 Karma
Reply
Solved! Jump to solution

sloshburch
Splunk Employee
Splunk Employee
‎08-15-2019 10:16 AM

FYI: The Details have been edited in hopes to clarify this. Thank you for your patience!

Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...