We’ve just installed the ‘Analytics for Nagios’ app on our Splunk instance and I’ve run through the instructions to hook this into our Nagios XI instance. All good, and I can see the logs hitting the Splunk index (Nagios), but I’m seeing issues in the dashboards.
If I go to the “Overview” dashboard, the hostname pulldown box is empty (apart from ‘All’). Looking at the search string for the box I can see it is running the `nagios_hosts` macro to populate the results.
Looking at the macro I can see that this is running the following search:
`nagios_index` `nagios_core_sourcetype` `nagios_core_host_alert` | stats count by host_name
This returns no results if I put this into a search. I believe the `nagios_core_host_alert` macro does not seem to work as I can see it is looking for the eventname, which does not seem to be an available field when I look at any log messages.
For example, the search string `nagios_index` `nagios_core_sourcetype` returns the following type of message:
[1455719894] INITIAL SERVICE STATE: localhost;Total Processes;OK;HARD;1;PROCS OK: 93 processes with STATE = RSZDT
But the eventname field is not an available field, so I’m wondering whether the field extraction is not working correctly in this instance. I’m assuming that eventname should be getting populated with INITIAL SERVICE STATE in this case, and also hostname is not getting populated and I believe this should be getting populated with localhost in this instance.
If you have any advice on why this may be happening that would be great as I’d really like to get using this app as quickly as possible.
Regards,
Paul
↧