All Apps and Add-ons

Can't get data from inputs defined under "TA for Windows"

neerajshah81
Path Finder

hi All,

I have a single instance of Splunk Enterprise on 7.1.2 running on Linux. My requirement is to get data in from our Windows Active Directory Domain Controllers. I have installed the "Splunk App For Windows Infrastructure" on my Splunk server and accordingly configured the TA for windows, TA for DNS and TA for Active Directory & deployed the same components to my Windows AD server as per the instructions mentioned in the documentation of that app.

The issue that i am facing is, i am getting all the data in (from my Windows AD server) in Splunk except from whatever inputs that have been configured in inputs.conf of Splunk_TA_windows. For instance if i run a simple search for source="WinEventLog:Security" | host="<our-AD-server>" , it returns 0 results. Like wise other searches for other input stanzas such as source="c:\\windows\\system32\\dns\\dns.log" also return 0 results.

Below is the snippet of my C:\Program Files\SplunkUnivForwarder\SplunkTA_Windows\local\inputs.conf from our Windows AD Server.

[WinEventLog://Security]
checkpointInterval = 5 
current_only = 0 
disabled = 0  
start_from = oldest 
suppress_text = 1

[monitor://C:\Windows\System32\dns\dns.log] 
disabled = false

 [admon://NearestDC]
 monitorSubtree = 1

I am able to get other events & sourcetypes from this AD server such as PerfMON stats and other AD related information from the AD server so there isnt a network connectivity issue or firewall issue. Screenshot attached.

alt text

Can someone advise what might be causing the inputs.conf defined in "TA for Windows" to not work ? While installing the UF on Windows AD server, i used "local system" account for installing which shouldn't make a difference i believe.

0 Karma

adonio
Ultra Champion

try to add index = * or index = main before your search

neerajshah81
Path Finder

Adonio, thanks a bunch. That worked. But any reason that these events & their count did not show up earlier while searching for "host=AD Server" and right click on the "Sources" or Sourcetypes" In the fields bar on left ?

The moment i ran the search for index=* and index=main, i can see they got listed under Source & Sourcetypes fields on left.

0 Karma

sudosplunk
Motivator

This may be because of "srchIndexesDefault" setting for a user. srchIndexesDefault - is a semicolon-delimited list of indexes to search when no index is specified.
So, if you don't specify the index name in your search, splunk will look at default indexes to search. Hence, inconsistencies in results.

Below is more information of this setting:

srchIndexesDefault =
* A semicolon-delimited list of indexes to search when no index is specified.
* These indexes can be wild-carded (""), with the exception that '' does not
match internal indexes.
* To match internal indexes, start with ''. All internal indexes are
represented by '
'.
* The wildcard character '
' is limited to match either all the non-internal
indexes or all the internal indexes, but not both at once.
* If you make any changes in the "Indexes searched by default" Settings panel
for a role in Splunk Web, those values take precedence, and any wildcards
you specify in this setting are lost.
* Defaults to none.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...