Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Category: Information

Priority: Normal

Platform: Splunk

Version: 1 from 08.11.2022

Description

Splunk dashboards are not populating with data, but when searching manually, PowerConnect data can be found in Splunk.

Cause

Some PowerConnect implementations may use a Splunk index with a name other than “sap.” The out-of-the-box dashboards contain search macros that assume an index name of “sap.” Splunk search macros are segments of Splunk search language that can be called by invoking the macro name in a search query and passing any arguments specified in the macro definition.

Resolution

Please update the search macros provided in the app in order to populate the dashboards with data.

  1. Click on “Settings,” and then “Advanced search”

  2. Click “Search macros”

  3. Search for “sap-abap”

    1. The results should indicate macros with the name “sap-abap(1)” and “sap-abap(2)“

  4. For each “sap-abap” macro, click on the macro name and replace the definition with the following content

    1. sap-abap(1)

      (`sap-index` source!=audittrail (((sourcetype=sap_abap OR
sourcetype=sap:abap) EVENT_TYPE=$event_type$) OR
(sourcetype=sap:abap:$event_type$)))

    2. sap-abap(2)

      (`sap-index` source!=audittrail (((sourcetype=sap_abap OR
sourcetype=sap:abap) EVENT_TYPE=$event_type$) OR
(sourcetype=sap:abap:$event_type$)) EVENT_SUBTYPE=$event_subtype$)

  • No labels