Hello,
I am having the exact same problem this morning, I guess it comes from the fact the fields used in all the queries from the dashboards are not extracted. For example in:
index=os sourcetype=top host=forwarder.localdomain | stats max(pctCPU) as pctCPU max(pctMEM) as pctMEM last(cpuTIME) as cpuTIME by COMMAND, USER | eval CMD=COMMAND | fields CMD, USER, pctCPU, pctMEM, cpuTIME
I have no result.
But when I'm only using index=os sourcetype=top host=forwarder.localdomain I get all the events related to this search.
And I don't see the extracted fields in the left side in the "Interesting fields". I guess that's why splunk is not able to use these fields to narrow and display the query for the dashboard.
Now the question is: Is it normal these fields are not automatically extracted? And what step are we missing to do so?
Do we need to modify somehow the props.conf and so on manually or... copy something somewhere?
Thanks for your help guys
... View more