topic Re: Content Pack for Windows Dashboards and Reports data not showing in All Apps and Add-ons

Content Pack for Windows Dashboards and Reports data not showing

karampatsis — Tue, 23 Jul 2024 15:47:20 GMT

Hello, I am using Splunk Enterprise with IT Essentials Work, Windows Addon and Content Pack for Windows Dashboards and Reports. I made all the necessary configurations for Content Pack for Windows Dashboards and Reports but still I can not see any data in dashboards or the reports.

In eventtypes.conf file in DA-ITSI-CP-windows-dashboards/local folder i made the following changes

[windows_index_windows]

definition= index=windows OR index=main

[perfmon_index_windows]

definition= index=perfmon OR index=itsi_im_metrics

[wineventlog_index_windows]

definition= index=wineventlog OR index=main

The think the problem starts from the fact that eventtypes are not recognized in searches.

For example the search (eventtype=msad-successful-user-logons OR eventtype=msad-failed-user-logons) returns nothing.

In eventttypes.conf the above stanza is:

[msad-successful-user-logons]

search = eventtype=wineventlog_index_windows eventtype=wineventlog_security EventCode=4624 user!="*$"

If i run the search:

index=main EventCode=4624 user!="*$" i get results.

Can someone help me to solve the problem?

Thanks

[msad_index_windows]

search= index=msad OR index=main

Re: Content Pack for Windows Dashboards and Reports data not showing

Tom_Lundie — Wed, 24 Jul 2024 10:33:05 GMT

Hello,

With these sorts of issues it's best to work your way down to eliminate the possible causes.

Take an exemplar broken search from the dashboard and try to run it manually:
eventtype=msad-successful-user-logons

If that doesn't work try to run the definition manually:
eventtype=wineventlog_index_windows eventtype=wineventlog_security EventCode=4624 user!="*$"

If that works, make sure the msad-successful-user-logons definition is correct and shared properly. If not, try expanding your index eventtype:
(index=msad OR index=main) eventtype=wineventlog_security EventCode=4624 user!="*$"

If that works, make sure your definition is correct and shared properly. If not, try expanding the wineventlog_security eventtype:
(index=msad OR index=main) (search = source=WinEventLog:Security OR source=WMI:WinEventLog:Security OR source=XmlWinEventLog:Security) EventCode=4624 user!="*$"

If that works, make sure Splunk_TA_windows is installed the wineventlog_security eventtype is working. If that doesn't work then your problem is not with the eventtype definitions, but rather with the data itself. Things to try:

Do you have Splunk_TA_windows installed on your indexers/search heads?
Are the source's renamed correctly as per TA_Windows ta-windows-fix-xml-source definition and the requirements of the wineventlog_security eventtype?
Are your indexes correct and populated within the search timeframe?

Finally, if you still can't get results, try stripping of key values from the search to check if the search is working:
(index=msad OR index=main) (search = source=WinEventLog:Security OR source=WMI:WinEventLog:Security OR source=XmlWinEventLog:Security)

If you get results, the problem is with the field extractions: EventCode=4624 user!="*$" check that Splunk_TA_windows is working as expected, check your inputs, props and transforms are all aligned.

Good luck!

Re: Content Pack for Windows Dashboards and Reports data not showing

karampatsis — Thu, 01 Aug 2024 09:17:56 GMT

Hello Tom,

thank you very much for your answer.

Τesting the ones you sent me I noticed that if I search for example for:

eventtype=wineventlog_index_windows eventtype=wineventlog_security

I do not get any results, the same if I make a search for: eventtype=wineventlog_index.

But if I try for : eventtype=wineventlog_security I am getting results.

In eventtypes.conf file in DA-ITSI-CP-windows-dashboards/local folder i made the following changes

[windows_index_windows]

definition= index=windows OR index=main

[perfmon_index_windows]

definition= index=perfmon OR index=itsi_im_metrics

[wineventlog_index_windows]

definition= index=wineventlog OR index=main

Do you have any idea why this is happening?

When you are writing "definition is correct and shared properly" what exactly do you mean?

Thanks in advance

Re: Content Pack for Windows Dashboards and Reports data not showing

karampatsis — Thu, 08 Aug 2024 03:52:32 GMT

Does anyone know why eventtype

[wineventlog_index_windows]
definition= index=wineventlog OR index=main

doesn't return something?

Am I doing something wrong in the eventtypes.conf file or should I declare it somewhere else as well?

Thank you very much

Re: Content Pack for Windows Dashboards and Reports data not showing

Tom_Lundie — Thu, 08 Aug 2024 09:41:22 GMT

I think I can see the issue here:

[wineventlog_index_windows] definition= index=wineventlog OR index=main

This should be:

[wineventlog_index_windows] search = index=wineventlog OR index=main

Note the "search" directive instead of "definition". Definition is used in macros.conf. Let me know how you get on 🙂

Re: Content Pack for Windows Dashboards and Reports data not showing

karampatsis — Sun, 11 Aug 2024 03:40:54 GMT

Tom everything seems to be working fine.
Your help was crucial in finding the problem.
Thank you very much