All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can't get data from inputs defined under "TA for Windows"

neerajshah81
Path Finder
‎07-18-2018 01:01 PM

hi All,

I have a single instance of Splunk Enterprise on 7.1.2 running on Linux. My requirement is to get data in from our Windows Active Directory Domain Controllers. I have installed the "Splunk App For Windows Infrastructure" on my Splunk server and accordingly configured the TA for windows, TA for DNS and TA for Active Directory & deployed the same components to my Windows AD server as per the instructions mentioned in the documentation of that app.

The issue that i am facing is, i am getting all the data in (from my Windows AD server) in Splunk except from whatever inputs that have been configured in inputs.conf of Splunk_TA_windows. For instance if i run a simple search for source="WinEventLog:Security" | host="<our-AD-server>" , it returns 0 results. Like wise other searches for other input stanzas such as source="c:\\windows\\system32\\dns\\dns.log" also return 0 results.

Below is the snippet of my C:\Program Files\SplunkUnivForwarder\SplunkTA_Windows\local\inputs.conf from our Windows AD Server. 

[WinEventLog://Security]
checkpointInterval = 5 
current_only = 0 
disabled = 0  
start_from = oldest 
suppress_text = 1

[monitor://C:\Windows\System32\dns\dns.log] 
disabled = false

 [admon://NearestDC]
 monitorSubtree = 1

I am able to get other events & sourcetypes from this AD server such as PerfMON stats and other AD related information from the AD server so there isnt a network connectivity issue or firewall issue. Screenshot attached.

alt text

Can someone advise what might be causing the inputs.conf defined in "TA for Windows" to not work ? While installing the UF on Windows AD server, i used "local system" account for installing which shouldn't make a difference i believe.

Preview file
1 KB
0 Karma
Reply

adonio
Ultra Champion
‎07-18-2018 01:28 PM

try to add index = * or index = main before your search

Reply

neerajshah81
Path Finder
‎07-18-2018 01:49 PM

Adonio, thanks a bunch. That worked. But any reason that these events & their count did not show up earlier while searching for "host=AD Server" and right click on the "Sources" or Sourcetypes" In the fields bar on left ?

The moment i ran the search for index=* and index=main, i can see they got listed under Source & Sourcetypes fields on left.

0 Karma
Reply

sudosplunk
Motivator
‎07-19-2018 08:39 AM

This may be because of "srchIndexesDefault" setting for a user. srchIndexesDefault - is a semicolon-delimited list of indexes to search when no index is specified.
So, if you don't specify the index name in your search, splunk will look at default indexes to search. Hence, inconsistencies in results.

Below is more information of this setting:

srchIndexesDefault =
* A semicolon-delimited list of indexes to search when no index is specified.
* These indexes can be wild-carded (""), with the exception that '' does not
match internal indexes.
* To match internal indexes, start with ''. All internal indexes are
represented by ''.
* The wildcard character '' is limited to match either all the non-internal
indexes or all the internal indexes, but not both at once.
* If you make any changes in the "Indexes searched by default" Settings panel
for a role in Splunk Web, those values take precedence, and any wildcards
you specify in this setting are lost.
* Defaults to none.

Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...