If you do not see any data on a dashboard please check all of the following.
uberAgent indexer app
Check the following in Apps > Manage Apps:
- Do you have a Splunk app with the name "uberAgent indexer" installed?
Check the following in Settings > Indexes:
- Do you have an index with the name uberagent?
- What is the index' event count?
- How long ago was the latest event recorded?
There are multiple options for sending the data uberAgent collects on the endpoints to the Splunk backend. Make sure one of the following is configured correctly:
- uberAgent on endpoint > TCP port 19500 on Splunk indexer
- uberAgent on endpoint > Splunk HTTP Event Collector on Splunk indexer
- uberAgent on endpoint > TCP port 19500 on Universal Forwarder on endpoint > receiver port 9997 on Splunk indexer
The port numbers above are default values that can be changed.
Run the following Splunk search:
- Do you see results from all hosts with uberAgent installed?
- Do you see results from many different sourcetypes?
If data from a specific endpoint is missing check the following on the endpoint:
- Make sure the service uberAgent is running.
- Check uberAgent's log file for issues.
The account you are accessing the uberAgent app with needs read permissions on the uberAgent index(es) or else no data will be returned by the searches. For details please see the article about multi-tenancy.
The dashboards display data from the selected time range only. Please make sure the time range selector is set to a period from which you expect events.