We recently started using the Splunk plugin, I am curious if others have noticed similar limitations with retrieving more than one data source or found ways to work around any of these issues:
1) More than one source CAS defined in Splunk causes data forwarding to Splunk to stop. The data forwarding for the "Default Report" works perfectly until we define a second CAS to poll for data in Splunk.
One resolution I found is to set the second CAS server up as a data source for the first CAS, and the data from both will be passed over from the single source definition. It does seem however that having more than one CAS defined in Inputs.conf is an issue.
2) Choosing "Default Report" or the "Custom Report" seems to be an either/or decision, a single source doesn't seem to support enabling both check boxes (or data forwarding again stops as above). It seems that multiple custom reports may be specified in the custom DMI section when separated by ";" but this caused data retrieval to stop as well.
I thought I'd be clever and simply add the default report name to the custom report string with the other report that I was trying to get, but this causes data retrieval to stop as well.
I'd love to hear if there are any suggestions to resolve this.
Solved! Go to Solution.
We just published version 1.32 of the plugin (see: Splunk plugin for DC RUM Community Page).
Ad 1) It was fixed in the 1.32 release.
Please note that Splunk plug-in front-end part does not support multiple CAS servers. Data that is being queried from the Splunk database is not properly aggregated (first of the available records is being taken). We also published plugin's source code on the GitHub so you can fork the repository and fixed the aggregation part if you want (there is a description on the repository page how to pack Splunk plugin from the source code). If you provide a pool request with the fix we will merge it back to the primary branch and provide an official build.
Ad2) I couldn't reproduce this issue. Probably it was indirectly resolved by the multi-CAS issue fix.
After playing with the DCRUM Splunk Plug-in and getting it working, I was asking some other Splunkites about it and received a few comments. The biggest one was that the Plug-in used the Django framework. Was told that since Splunk version 6.3 Django has been depreciated. No ETA was given on the removal of Django. Wanted to share this information so it could either be confirmed or denied. If true, then the Plug-in needs to be rebuilt within the Splunk standard configs?