Dashboard showing Zeroes

MageSlayer · ‎03-21-2013

The initial installation goes through without a problem and the dashboard items appear, however none of the data being sent to the Splunk server(we confirmed the data is coming in) is being displayed on the Dashboard. A lot of the searches seem to reference a src_ip field, and I see where this transformation is supposed to happen, but when searching for src_ip, it returns nothing.

Is there a step missing to connect this missing src_ip field? I believe this is the cause of the dashboards being empty.

MageSlayer · ‎03-21-2013

It seems a reboot of the FireEye box suddenly made it start working.

MageSlayer · ‎03-21-2013

It's for the FireEye app(sorry I thought that was noticed with the tag there)

rsennett_splunk · ‎03-21-2013

Can you specify what Dashboard you're talking about? Is it from an app you downloaded or something you built?

If src_ip is referenced in the searches it might be a field created in props.conf

can you post that here?

If you like, post the props.conf, the trasnforms.conf and one of the searches.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

Dashboard showing Zeroes

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor