uberAgent

Dashboards Have No Data

If you do not see any data on a dashboard please check all of the following.

uberAgent indexer app

Check the following in Apps > Manage Apps:

  • Do you have a Splunk app with the name uberAgent indexer installed?

Index uberagent

Check the following in Settings > Indexes:

  • Do you have an index with the name uberagent?
  • What is the index’ event count?
  • How long ago was the latest event recorded?

Data flow

There are multiple options for sending the data uberAgent collects on the endpoints to the Splunk backend. Make sure one of the following is configured correctly:

  • uberAgent on endpoint > TCP port 19500 on Splunk indexer
  • uberAgent on endpoint > Splunk HTTP Event Collector on Splunk indexer
  • uberAgent on endpoint > TCP port 19500 on Universal Forwarder on endpoint > receiver port 9997 on Splunk indexer

The port numbers above are default values that can be changed.

Index contents

Run the following Splunk search: index=uberagent*

  • Do you see results from all hosts with uberAgent installed?
  • Do you see results from many different source types?

Endpoints

If data from a specific endpoint is missing check the following on the endpoint:

  • Make sure the service uberAgent is running.
  • Check uberAgent’s log file for issues.

Index permissions

The account you are accessing the uberAgent app with needs read permissions on the uberAgent index(es) or else no data will be returned by the searches. For details please see the article about multi-tenancy.

Time range

The dashboards display data from the selected time range only. Please make sure the time range selector is set to a period from which you expect events.

Dashboards Have No Data