Dashboards Have Only Partial or No Data

If you do not see all the expected data on a dashboard please check the following:

Did you take the selected time range into account?

The dashboards display data from the selected time range only. Please make sure the time range selector is set to a period from which you expect events.

Is the data in the Splunk index?

If data does not show up in a dashboard, it might not be in the index. In that case, the corresponding endpoint might have stopped sending data. To check for this, go the the search app and search for index=uberAgent* within the desired time range. Look for the expected data in the search results.

Did you enable receiving?

Please make sure that you opened a TCP port on the Splunk server as described here.

Do you have permissions on the index?

The account you are accessing the uberAgent app with needs read permissions on the uberAgent index(es) or else no data will be returned by the searches. For details please see the article about multi-tenancy.

Is data from a specific endpoint missing?

If data from a specific endpoint is missing check the following on the endpoint:

  • Make sure the service uberAgent is running.
  • Check uberAgent's log file for issues.
