topic Re: No data after setting up Add-on for Windows in All Apps and Add-ons

No data after setting up Add-on for Windows

bobmc859 — Wed, 30 Sep 2020 00:24:10 GMT

I have deployed Add-on for Windows on one of my servers and I'm not collecting any data. If I don't use the Add-on input.conf and only use the input.conf file located in \etc\system\local it works fine, but if remove the data from that file and use the \etc\apps\Splunk_TA_windows\local file I get nothing. I've restarted the service, rebooted the host machine and I'm not sure where to go from here.

I followed the directions here: https://docs.splunk.com/Documentation/WindowsAddOn/6.0.0/User/Configuration for the configuration of the input.conf and prop.conf files.

Any suggestions what I'm missing what log to look at for error messages?

Thanks,
Bob

Re: No data after setting up Add-on for Windows

koshyk — Wed, 30 Sep 2020 00:24:12 GMT

The best practice is to create an app of yourself , so it is modular and controllable (like deployment server etc.)

Remove any configs you have done in etc/system/local etc. and cleanup any config changes done on Splunk_TA_windows
Create an app (MY_windows_app) within etc\apps and create inputs.conf file within local directory of it. So it will look like . MY_windows_app\local\inputs.conf
Ensure your Splunk_TA_windows is present in etc\apps directory and is NOT modified at all
In your MY_windows_app\local\inputs.conf make an entry like below

[WinEventLog://Application]
disabled = 0
[WinEventLog://Security]
disabled = 0
[WinEventLog://System]
disabled = 0
Restart splunk

Data should come in now correctly if you have setup your indexer and outputs.conf correctly

Re: No data after setting up Add-on for Windows

bobmc859 — Wed, 30 Sep 2020 00:24:16 GMT

Thanks koshyk! That seem to do the trick! I did fail to mention I do have a deployment server and that I was using that, but using your method I simply created the app and deployed it with your suggestions.

Though I do have a couple of quick follow up questions. In the link I referenced it talked about setting up the local.conf and prop.conf files, was that incorrect or was miss understanding something there?

Also using the method you shown me there I wanted to ask, what if I have some one off data I want to ingest in to splunk that is not configured in the MY_windows_app\local\inputs.conf file and I don't want it to be on every server. For example if I have one server that I want to get sysmon data from but not every server. Do I then update the etc/system/local input.conf file for that specifically?

Thanks again!
Bob

Re: No data after setting up Add-on for Windows

koshyk — Thu, 02 May 2019 11:22:31 GMT

then you create your "APP" more specific per input

MY_windows_application_inputs
MY_windows_security_inputs
MY_windows_sysmon_inputs

and in your serverclass, send the above apps as required to the end hosts/clients. The more granular you go, the more control you have and easy to be dynamic.

Re: No data after setting up Add-on for Windows

danielansell — Thu, 02 May 2019 12:08:55 GMT

Although your question has been answered, was the Windows app sending the data to the default 'windows' index, and you were searching your own index and found no data? Just checking - I'm trying to add to my troubleshooting knowledge base.

Re: No data after setting up Add-on for Windows

bobmc859 — Thu, 02 May 2019 13:16:45 GMT

No data was getting to the splunk instance at all, I did a search on index=* and saw nothing before doing koshyk's suggestion.

Re: No data after setting up Add-on for Windows

danielansell — Thu, 02 May 2019 13:19:09 GMT

Thanks for the response.