https://community.splunk.com/t5/Getting-Data-In/Windows-Events-Not-showing-Up-on-Indexer/m-p/363449#M66223 <P>Hi</P> <P>How have you determined that the events are being sent to the indexer?</P> <P>Could it be that the date format of the events is being misinterpreted and the events indexed today from the Domain Controllers are being indexed with a timestamp of 10 February 2017? </P> <P>Dave</P> Mon, 02 Oct 2017 15:39:58 GMT davebrooking 2017-10-02T15:39:58Z https://community.splunk.com/t5/Getting-Data-In/Windows-Events-Not-showing-Up-on-Indexer/m-p/363448#M66222 <P>A UF was installed on 2 Windows domain Controllers. These are in a different windows forest than my other devices. I had to manually add these to the windows_eventlog class by IP as the DNS name can't be resolved. I now see them sending to the indexer but I can't search any of the events. How can I trouble shoot this?</P> <P>Thanks!</P> Mon, 02 Oct 2017 13:22:45 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-Events-Not-showing-Up-on-Indexer/m-p/363448#M66222 pfabrizi 2017-10-02T13:22:45Z https://community.splunk.com/t5/Getting-Data-In/Windows-Events-Not-showing-Up-on-Indexer/m-p/363449#M66223 <P>Hi</P> <P>How have you determined that the events are being sent to the indexer?</P> <P>Could it be that the date format of the events is being misinterpreted and the events indexed today from the Domain Controllers are being indexed with a timestamp of 10 February 2017? </P> <P>Dave</P> Mon, 02 Oct 2017 15:39:58 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-Events-Not-showing-Up-on-Indexer/m-p/363449#M66223 davebrooking 2017-10-02T15:39:58Z https://community.splunk.com/t5/Getting-Data-In/Windows-Events-Not-showing-Up-on-Indexer/m-p/363450#M66224 <P>I will check for that, It appears that I have to use the IP address and I had to manually add them to the server class on my deployment server. If I tried by DNS name the apps for the windows server class was not added, however when I added the IP they got configured. I have not had to do that with any other servers that I am aware of.</P> Tue, 03 Oct 2017 12:42:39 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-Events-Not-showing-Up-on-Indexer/m-p/363450#M66224 pfabrizi 2017-10-03T12:42:39Z https://community.splunk.com/t5/Getting-Data-In/Windows-Events-Not-showing-Up-on-Indexer/m-p/363451#M66225 <P>You could read the metrics.log <A href="https://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/Aboutmetricslog">(documentation here)</A> of the universal forwarder, the series= lines should advise which index, sourcetype and source the data was going through the forwarder.<BR /> The metrics.log/splunkd.log should confirm that the forwarder is forwarding as expected.</P> <P>The tstats command might also help here, for example you could do:</P> <PRE><CODE>| tstats count, max(_indextime) AS mostRecent, max(_time) AS mostRecentParsedTime where index=windows groupby host | eval mostRecent = strftime(mostRecent, "%+"), mostRecentParsedTime = strftime(mostRecentParsedTime, "%+") </CODE></PRE> <P>You could then narrow down to an index/sourcetype/source or similar and include/exclude hosts until you narrow down to where your hosts are, perhaps they used IP instead of DNS name?<BR /> Since <A href="http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Tstats">tstats</A> queries metadata only it is quite quick to run over larger periods of time, however you can only use the where clause against indexed fields...</P> <P>Finally, if you can see data leaving the forwarder but you are unsure where it's going run the <A href="http://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/Usebtooltotroubleshootconfigurations">btool command</A>:</P> <PRE><CODE>splunk btool outputs list --debug </CODE></PRE> Wed, 04 Oct 2017 12:06:25 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-Events-Not-showing-Up-on-Indexer/m-p/363451#M66225 gjanders 2017-10-04T12:06:25Z