Free Splunk Add Data missing?

JuergenUser — Wed, 02 Dec 2020 14:33:10 GMT

Hi,

I'm new at splunk and signed up for Free Splunk Cloud.

I setup a universal forwarder on a windows server and connected this forwarder to my instance of splunk cloud. I can see that there i a connection on the firewall but also in splunk on the cloud monitoring console at Forwarders I can see this machine sending some data.

Then I want to send more data and added to the inputs.conf on the system/local on windows server the sections:

[WinEventLog] interval=60 evt_resolve_ad_obj = 0 evt_dc_name= vDC01.xxxx.yyyyy evt_dns_name= xxxxx.yyyyy [WinEventLog://Security] disabled = 0 start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 checkpointInterval = 5

Now I wonder why I cannot see any data on the splunk for that.

Because in global section there is

[default] index = default

I should find that on default index - but there are no data?

Sure in the Secury-Eventlog is enought data to transfer. I wonder what to write to the inputs.conf when the windows version is localized to german - but found nothing on the weg so i think WinEventLog://Security is correct.

Then I go thru the data I can see - I wonder if ack=false is a problem?

2-02-2020 14:22:56.866 +0000 INFO Metrics - group=tcpin_connections, ingest_pipe=0, 194.208.5.50:53158:9997, connectionType=cookedSSL, sourcePort=53158, sourceHost=xxxxxxxx, sourceIp=yyyyyy, destPort=9997, kb=0.3212890625, _tcp_Bps=10.612885479692524, _tcp_KBps=0.01036414597626223, _tcp_avg_thruput=0.3515837042852563, _tcp_Kprocessed=2229.7880859375, _tcp_eps=0.03225801057657302, _process_time_ms=0, evt_misc_kBps=0, evt_raw_kBps=0, evt_fields_kBps=0, evt_fn_kBps=0, evt_fv_kBps=0, evt_fn_str_kBps=0, evt_fn_meta_dyn_kBps=0, evt_fn_meta_predef_kBps=0, evt_fn_meta_str_kBps=0, evt_fv_num_kBps=0, evt_fv_str_kBps=0, evt_fv_predef_kBps=0, evt_fv_offlen_kBps=0, evt_fv_fp_kBps=0, build=24fd52428b5a, version=8.1.0.1, os=Windows, arch=x64, hostname=zzzzzzzzzz, guid=38460E6F-B4AF-479B-B3ED-717E41DD40A5, fwdType=uf, ssl=true, lastIndexer=54.156.189.210:9997, ack=false

Then I googled and found that I have to add a datasource under Settings | Data | "Datasource" (not sure how to translate correct).

When I go to this I function and I think here is something missing:

There are "local sources":

- Here I see HTTP and are able to add new sources (under actions)

"Forwarded sources"

- Here everything is empty - no button to add anything

If I understand correctly I have to add windows Eventlog here?

Thank you!

Regards

Juergen

topic Free Splunk Add Data missing? in Getting Data In

Free Splunk Add Data missing?