topic Re: Splunk App for Windows Infrastructure default index issue in Getting Data In

Splunk App for Windows Infrastructure default index issue

token2 — Fri, 12 Mar 2021 01:46:53 GMT

I have the latest SA-LDAP, Splunk_TA_Windows and Windows Infra apps installed. I have sourcetype WinHostMon data coming in, but the Infrastructure app guided setup says it is not detected.

I jumped over to one of the infra dashboards and all panels have "No results found" >> Host Monitoring - Operations >> Disk Free Space Distribution and opened that in search. By simply inputting index=windows the search then works.

Where does the app designate the default index it's searches refer to?

Re: Splunk App for Windows Infrastructure default index issue

gcusello — Fri, 12 Mar 2021 07:44:15 GMT

Hi @token2,

at first see if you have logs in the indexes where logs are stored: If you haven't results, there's a problem in log ingestion.

If instead you have results, open a search of one panel in Search, then add index="win*" to the main search and see if you have results: probably the indexes where logs are stored isn't in the default search path.

If this is the problem you have two choices:

add those indexes to the default path for the roles you're using,
modify all the eventtypes adding the indexes.

First solution is quicher to resolve but I don't like because your searches are slower.

I prefer the second solution even if is longer to implement but is more performant.

Ciao.

Giuseppe

Re: Splunk App for Windows Infrastructure default index issue

token2 — Fri, 12 Mar 2021 23:09:31 GMT

@gcusello I get results if I input index=win* (in this case its index=windows).

How does one go about changing the default path for the role via .conf files? I see it in the GUI:

Settings >> Authentication Methods (because using LDAP in this case) >> LDAP Settings >> Map groups >> Edit LDAP group name user is affected by, added "winfra-admin".

Where is this found inside of the Splunk file system?

Re: Splunk App for Windows Infrastructure default index issue

gcusello — Sat, 13 Mar 2021 06:56:25 GMT

Hi @token2,

the easiest way is to do this by gui in [Settings -- Roles -- your_role -- indexes].

If you want to do this in .conf file, open: %SPLYNK_HOME/etc/system/local/authorize.conf and in the stanza of you role add (if there isn't) or modify the option srchIndexesDefault.

Ciao.

Giuseppe

P.S.: if this answer solves your need, please accept it fot the other people of Community or tell me how can I help you more (and Karma Points are apprecited 😉 )