Category: Information | Priority: Normal |
---|---|
Platform: Splunk | Version: 1 from 08.11.2022 |
Description
Splunk dashboards are not populating with data, but when searching manually, PowerConnect data can be found in Splunk.
Cause
Some PowerConnect implementations may use a Splunk index with a name other than “sap.” The out-of-the-box dashboards contain search macros that assume an index name of “sap.” Splunk search macros are segments of Splunk search language that can be called by invoking the macro name in a search query and passing any arguments specified in the macro definition.
Resolution
Please update the search macros provided in the app in order to populate the dashboards with data.
Click on “Settings,” and then “Advanced search”
Click “Search macros”
Search for “sap-abap”
The results should indicate macros with the name “sap-abap(1)” and “sap-abap(2)“
For each “sap-abap” macro, click on the macro name and replace the definition with the following content
sap-abap(1)
(`sap-index` source!=audittrail (((sourcetype=sap_abap OR sourcetype=sap:abap) EVENT_TYPE=$event_type$) OR (sourcetype=sap:abap:$event_type$)))
sap-abap(2)
(`sap-index` source!=audittrail (((sourcetype=sap_abap OR sourcetype=sap:abap) EVENT_TYPE=$event_type$) OR (sourcetype=sap:abap:$event_type$)) EVENT_SUBTYPE=$event_subtype$)