Troubleshooting

Follow these steps to troubleshoot issues with the Cisco ThousandEyes App for Splunk.

Check Logs

  1. View log files in the following location: $SPLUNK_HOME/var/log/splunk/ta_cisco_thousandeyes*.log

  2. Run the following search queries in Splunk to check logs:

    • General logs:

      index="_internal" sourcetype="ciscoThousandEyes:log"

    • Error logs:

      index="_internal" sourcetype="ciscoThousandEyes:log" ERROR

  3. To view detailed logs in Splunk Web UI:

    1. Go to Cisco ThousandEyes App for Splunk > Configuration > Logging.

    2. Set the log level to debug.

    3. Disable and enable the input to recollect data.

    4. Check the logs for detailed information.

Resolve Data Collection Issues

  1. If data collection is not working:

    • Ensure that the internet connection is active where the input is configured, or verify the proxy configuration (if applicable).

    • Confirm that the kvstore is enabled.

    • For Tests Stream Input:

      • Verify that the HTTP Event Collector (HEC) global settings are enabled.

      • Ensure that the HEC token is enabled.

  2. If data collection is working but dashboards are not populated:

    • Verify that the index macros are configured with the correct index values.

    • Update the macros if necessary to match the input configurations.

Fix Error: "The Server Name, Host Name, and Host is not reachable from Cisco ThousandEyes"

  1. Set the Server Name or Host Name correctly:

    1. Navigate to Settings > Server Settings > General Settings.

    2. Under Index Settings, set the Splunk server name or Default host name to the correct value required in the HEC collector URL.

  2. Restart Splunk after making these changes.

PreviousDashboardsNextBest-Practices Guides

Last updated