Troubleshooting Missing Fields
If you are running the Home Monitor App and are not seeing data populating the dashboard, you might be having problems with field extractions. This example covers the 'fios' sourcetype and how to troubleshoot it.
First, if your Home Monitor Network Overview looks like this, you might be having problems :
First, if your Home Monitor Network Overview looks like this, you might be having problems :
Let's start by clicking on search and doing some routine troubleshooting :
This will open a standard search, remove the 'direction=in | stats count' and just have the search run 'index=homemonitor sourcetype=fios' :
Now, change the search mode from "Fast Mode" to "Smart Mode" to enable all the field extractions:
Let's look at the interesting fields, let's see if "direction" is properly extracting data :
Clearly, it's not extracting data properly, so let's fix it.
First, click on Settings then Open Fields :
Once in Fields, open "Field extractions"
Once in Field extractions, click on "Open Field Extractor"
Let's select the sourcetype dropdown and type in 'fios.'
Select a sample event :
Select a sample event from the Events below and click "Next"
Click on "Regular Expression"
Now highlight the field "OUT" and name it direction:
See that the direction field has been extracted :
Click on "Show Regular Expression" and copy the results:
See that the 'direction' field already exists :
Open the Existing Fields view and open the 'direction' field :
Paste the corrected version of the REGEX and preview the results; then click save :
After you hit save, then click on Finish :
And now you should start seeing results from your extractions :
I'm hoping you can help me out. I'm still not able to feed data into your home monitor app. When I open the app the only data I can review is on the bandwidth overview tab which identifies hosts on my network and the average down/up speeds. I am forwarding my psSense logs to the splunk server and I have validated that from the data summary that new logs are flowing in. When I click on sourcetypes under data summary I can see "pfsense:filterlog" as a source type with currently over 100000 records indexed.
ReplyDeleteWhen I click on pfsense:filterlog there is a selected field for "vendor_direction" which has the correct values formatted. However when I go to "Overview Dashboards > Home Network Overview" the "Select your sourcetype" option is greyed out and it says "search produced no results." I have been trying to troubleshoot this for the last couple days so any help you could provided would be much appreciated.