0

"Application Performance" Dashboard not showing values

We installed UberAgent in a test environment using a single Splunk instance. We've 5 clients connected (all using Windows 10 Enterprise).

Using the Process Performance Dashboard shows Processes data as expected:

Using the Application Performance Dashboard just shows empty panels:

Also other Application related dashboards like "Application Startup" are empty. Nevertheless, having a look at Application Usage shows, that applications are differentiated:

We would be happy to get some tips where the cause of this issue could be.

UberAgent Version 5.2 is used. Thanks for any help! :)

6 comments

  • Avatar
    Dominik Britz Official comment

    Yes, correct. The saved search never runs hence the empty CSV file. Please check the saved searches, stored in uberAgent’s savedsearches.conf. If you are using Splunk Free check this blog post.

  • 0
    Avatar
    Dominik Britz

    Hi Mathias,

    How does your appnameidmapping.csv file look like? You can find it in the lookups folder in the uberAgent app on your Splunk server.

  • 0
    Avatar
    Mathias Richter

    Hi Dominik,

    the appnameidmapping.csv seems untouched. Content is:

    [root@splunkserver lookups]# cat appnameidmapping.csv
    AppName,AppId,"time","mv_AppName","mv_AppId","mv_time"
    non-existent-dummy-appname,,,,,

    The owner of the file is the same user ("splunk") as the user owning and running the splunk instance

    [root@splunkserver lookups]# pwd
    /opt/splunk/etc/apps/uberAgent/lookups
    [root@splunkserver lookups]# ls -la appnameidmapping.csv
    -rw-r--r--. 1 splunk splunk 89 Apr 24 09:48 appnameidmapping.csv

    Is there anything we've to change here in terms of permissions?

  • 0
    Avatar
    Dominik Britz

    uberAgent relies on Splunk lookup tables, to enrich parts of its data. In Splunk Enterprise, these lookup tables are generated by saved searches, stored in uberAgent’s savedsearches.conf. Please run the following search manually and check the appnameidmapping.csv again.

    index=`uberAgent_index` sourcetype=uberAgent:Application:AppNameIdMapping AppId=* AppName=* | stats latest(_time) as _time mode(AppName) as AppName by AppId | inputlookup append=t lookup_appnameidmapping | stats latest(_time) as _time latest(AppName) as AppName by AppId | eval TimeDelta=now()-_time | search TimeDelta<31536000 | fields AppName AppId _time | outputlookup lookup_appnameidmapping

  • 0
    Avatar
    Mathias Richter

    After running the search the appnameidmapping.csv contains a list of AppNames, AppIDs and Timestamps.

    Is there a need to check the scheduled search now? I assume this was only an one time execution?

  • 0
    Avatar
    Mathias Richter

    Thanks for your support!

Please sign in to leave a comment.