Update: Dashboards and Splunk Cloud Gateway

In the first post about Splunk Cloud Gateway I talked about not being able to use Saved Searches with the Splunk Cloud Gateway. I worked with Splunk and got the official response back about the issue.

So you discovered a bug!  I will have a fix for this before the next release of the Cloud gateway app.  The issue is with the name of the saved search.  We are not url encoding the ref string when we should be which is causing the parser to fail.  If you want to work around this issue use a name for the saved search that doesn’t have any spaces.

After working with Splunk, I can confirm that this works. Using camel case (CamelCaseWorks) is a great way to accomplish this without spaces.

Part 2 – Dashboards and Splunk Cloud Gateway

In the previous article (Dashboards and Splunk Cloud Gateway), I touched on the first opportunity to learn more of the new Splunk Cloud Gateway. Now I am going to talk about getting the Splunk TV app going.

One of the first things you need to do is enable Splunk TV in the Cloud Gateway app. In the Cloud Gateway app, go to configure and make sure to enable the Splunk TV (see below).

Next you will need to register the Apple TV to your Splunk Cloud Gateway. In the Cloud Gateway application, go to Register. When you first lauch the Splunk TV app on your Apple TV, it will give you an Activation Code. Enter that code in the Activation Code field of the Cloud Gateway register you device screen. Give the device a name. To continue setting up the device click Register.

You now will get the challenge code to verify. The code is at the bottom of the screen with your registration code. Then you will need to enter the credentials of your Splunk Enterprise account. Then click Continue to finish the setup.

You can verify that the system accepted you Splunk TV by going to Devices. Here you will be able to see all the devices connected via the Splunk Cloud Gateway. In this example I have a Splunk Mobile and a Splunk TV device connected.

Dashboards and Splunk Cloud Gateway

So you have downloaded Splunk Cloud Gateway (https://splunkbase.splunk.com/app/4250/) and you are ready to go on your Mobile Device or Apple TV, but when you check your app your dashboard(s) do not show up in the list. Oh no! Here is a couple things to check and I am sure this article will be updated as more information is learned.

Check the internals!

A great place to start is the internal logs of Splunk. In this case:

index=_internal source=”/opt/splunk/var/log/splunk/splunk_app_cloudgateway*”

This will let you see what is going on inside the Cloud Gateway app. Now we can start to search what what is going on in the dashboard by adding the name of your dashboard in to the search.

index=_internal source=”/opt/splunk/var/log/splunk/splunk_app_cloudgateway*” “awesome_dashboard”

There can be a lot of see so we might want to narrow it down to just the errors and warnings.

index=_internal source=”/opt/splunk/var/log/splunk/splunk_app_cloudgateway*” (log_level=WARNING OR log_level=ERROR) “awesome_dashboard”

Now we can start to get some where.

My error happened to be:

WARNING [dashboard_request_processor] [dashboard_request_processor] [fetch_dashboard_descriptions] [25941] Unable to parse dashboard description dashboard_id=https://127.0.0.1:8089/servicesNS/nobody/myapp/data/ui/views/mobile_today_01, request_id=ABC12345-6789-DEFG-HI01-JKLMNO234567 device_id=ABCDEFGHIJKLMNOPQRSTUVWXYZ12345678901234567= current_user=myuser is_alert=False

Ok, so Splunk can’t parse the dashboard. I checked the dashboard and made sure the role “cloudgateway” had access but still no luck. I even checked that the schedule search gave read permission to the role. No dice. Just by chance I created a new dashboard and happened to not use Scheduled Searches. I checked the mobile app and there it was, my awesome dashboard. Just to make sure I wasn’t seeing things I converted the inline to a saved search and then I got the errors again. Converted back to an inline search and there it was on my device. So just a helpful hint, if your dashboard isn’t showing up, check if there is scheduled searches.

Continue to Part 2, setting up Splunk TV.

5 Year Anniversary

Hello Everyone,

The day was Tuesday, February 26, in the year 2013.  A small group of us gathered at Charlie’s on the Lake for the first meeting of Splunk402.  Little did I know the journey I was in for.  Over the last 5 years, I have been able to meet so many great people and developed amazing friendships.  I have had the opportunity to represent Nebraska on an international stage at different events.

Since the first meeting 5 years ago, we have had some great meetings.  People have come and people have gone, but the spirit of the group has remained.  We are curious about technology and passionate about finding solutions to questions that have been asked and ones we didn’t know existed until we saw the data.

This group has been a shining light for Splunk.  The power of the user group in the fly over state that sits in the middle of the United States is astonishing.  I completely attribute this to the members of this group.  Without you, I would just be a person talking to myself about Splunk but you give me a voice to the community.  As a group, we continue to ask questions, give advice, and to push each other.

And for this, you deserve a party.  Please join me at the Beercade at 6104 Maple St, Omaha, NE 68104 on Thursday March 8th starting at 6pm for a celebration of the past 5 years.  We will provide the food, drinks, and video games.  Thank you for the memories and I look forward to the future with all of you.

Please register for the event at:

http://splk.site/5years

2018 Planning and Survey Results

Happy New Year to everyone out there.

We recently send out a survey to members of our user group to help understand what the group is looking for in this up coming year.   Thank you to everyone that took the survey.  Your opinions, thoughts, and suggestions help to shape the user group.

Question 1 is about topics for meetings.

Question 2, 3, 4 is about the meeting (type of meeting, day, time).

Question 5 is about activities that the group could do.

Question 6 is about the Splunk402 5-year party.

Question 7 is an open-ended question on what we can do better.


In 2018, what features of Splunk do you want to learn more about with Splunk?
Responses 22
Not Really Somewhat Yes Please Weighted Average
Building Dashboards 1 9 12 2.50
Splunk for Security 4 8 10 2.27
Machine Learning 5 6 11 2.27
ITSI 5 7 10 2.23
Getting Data in to Splunk 5 10 7 2.09
Splunk for IoT 7 7 8 2.05
What are the conf and what do they do? 6 9 7 2.05
Splunk for Cloud (AWS / Azure) 6 12 4 1.91
Comments:
Common Information Model
all are great topics, honestly.

In which of these styles do you think would be best for you for the User Group?
Responses 22
No Thank You Sometimes Yes Please N/A Weighted Average
Lecture Style – Person(s) up front interacting with everyone 0 9 12 1 2.45
Large Group – Everyone together 2 11 8 1 2.18
Presentation – Listen to a presenter (in person / online) or watch something as a group 2 11 8 1 2.18
Small Group  – Small groups of people working interacting with each other 5 10 6 1 1.95
Networking – Less focused on the learning and more on the socializing aspect 5 12 4 1 1.86
Comments:
N/A because I’ve never been to an event
i like networking for like a tiny portion, but not the whole meeting.

What time works best for you for the user group? (1 = Best for you, 5 = Worst for you)
Responses 22
1 2 3 4 5 Score
Lunch (Noon) 17 2 1 1 1 4.50
Late Afternoon (3pm) 1 11 4 5 1 3.27
After work (6 pm) 3 5 6 8 0 3.14
Breakfast (9am) 1 2 8 3 8 2.32
Evening (8pm) 0 2 3 5 12 1.77

What day of the week works best? (1 = Best for you, 5 = Worst for you)
Responses 22
1 2 3 4 5 6 7 Score
Tuesday 6 6 5 2 3 0 0 5.45
Wednesday 5 9 3 1 1 1 2 5.23
Thursday 5 4 5 3 2 2 1 4.86
Monday 3 1 4 9 5 0 0 4.45
Friday 2 0 4 5 9 1 1 3.82
Saturday 1 0 1 2 0 12 6 2.27
Sunday 0 2 0 0 2 6 12 1.91

If the User Group had an event in between meeting, please check any/all that you would want to attend.
Responses 17
Hack-a-thon (building dashboards/reports in a set timeframe) 10 59%
Boss of the SOC 9 53%
SPLing Bee 8 47%
Boss of the NOC 8 47%

We are coming up on our 5th year anniversary.  If we were to throw a party, where should we have it?
Responses 22
Not for me Maybe Yes Please Weighted Average
Beercade 3 7 12 2.41
Private room of a bar 2 11 9 2.32
Bowling Alley 5 12 5 2.00
Escape Rooms 7 11 4 1.86
Family Fun Center XL 9 12 1 1.64
Comments:
private room at a bar only if the beer selection is on par with beercade
only answering not for me because I’ve never been to an event and would feel bad about taking advantage of a party

What can we do to help you and what can we do to make Splunk402 better?
Comments:
Keep on truckin.
Another topic I’d be interested in seeing is perhaps a live demo, or a walk through of how best to setup SSL/TLS through an entire Splunk deployment. There is some good .conf presentations, but even a group discussion on what works, lessons learned, strategies, ongoing maintenance considerations, etc. might provide benefit to the group.
free beer
Meetings 4-6 times a year.
Keep on keeping on …
<comment redacted>

August 2017 Meeting

About the Meeting:

With security being in the new so much lately, we are featuring it front and center in this user group meeting. We will be joined by a Special Agent of the Omaha FBI. He will be talking about Cyber Security and the FBI.

We will be at the offices of our great partner Sirius (formerly Continuum) in Omaha. We will also have a film crew from Splunk on hand to film our user group. Splunk .conf2017 is just around the corner and this will be the last time we meet before conf. If you have questions about conf, please let us know or talk to us at the meeting.

Date and Time:

August 10th, 2017 at Noon

Agenda

  12:00 PM Start Meeting, Grab Food, Introductions
  12:15 PM The FBI and Cyber Security
  01:15 PM General Discussion

Register for the Event
We are happy to be at the offices of Sirius this meeting. Their offices are at 14301 FNB Parkway, Suite 400, Omaha, NE 68154.

Register for the event at:
https://usergroups.splunk.com/group/nebraska-splunk-402-user-group/b65058dc-d0b5-47dc-96cf-0b63e4b4449c.html

April 2017 Meeting Recap

User Group Meeting:

Thank you to everyone that came out to our meeting.  We had a great time learning about Splunk for AWS.  We also had a great discussion afterwards with many people sharing their experiences to help other members of the group.

The WebEx recording of Splunk for AWS is at:
https://splunk.webex.com/splunk/ldr.php?RCID=3f4e82ee9cbe110328218495db3e3d29

PowerPoint (in PDF form) from the WebEx:
Splunk AWS Presentation

The marketing video for Splunk for AWS – Gain End-to-End AWS Visibility:
https://www.splunk.com/en_us/resources/video.5jYXR4MjE6hL2mlcK7r-TlN3IFkgSQ5Z.html


Survey Data:

From the data collect in the web survey, we will continue to have our meeting over lunch or after work.  During these meetings we will focus on technical solutions.  I will work to find ways for the meeting to be more interactive with more troubleshooting type of meetings.

Comments:

  • Problems & Solutions; or a session to work through issues faced.
  • less sales, more tech details and app usage cases