All Apps and Add-ons

Can't get data from inputs defined under "TA for Windows"

neerajshah81
Path Finder

hi All,

I have a single instance of Splunk Enterprise on 7.1.2 running on Linux. My requirement is to get data in from our Windows Active Directory Domain Controllers. I have installed the "Splunk App For Windows Infrastructure" on my Splunk server and accordingly configured the TA for windows, TA for DNS and TA for Active Directory & deployed the same components to my Windows AD server as per the instructions mentioned in the documentation of that app.

The issue that i am facing is, i am getting all the data in (from my Windows AD server) in Splunk except from whatever inputs that have been configured in inputs.conf of Splunk_TA_windows. For instance if i run a simple search for source="WinEventLog:Security" | host="<our-AD-server>" , it returns 0 results. Like wise other searches for other input stanzas such as source="c:\\windows\\system32\\dns\\dns.log" also return 0 results.

Below is the snippet of my C:\Program Files\SplunkUnivForwarder\SplunkTA_Windows\local\inputs.conf from our Windows AD Server.

[WinEventLog://Security]
checkpointInterval = 5 
current_only = 0 
disabled = 0  
start_from = oldest 
suppress_text = 1

[monitor://C:\Windows\System32\dns\dns.log] 
disabled = false

 [admon://NearestDC]
 monitorSubtree = 1

I am able to get other events & sourcetypes from this AD server such as PerfMON stats and other AD related information from the AD server so there isnt a network connectivity issue or firewall issue. Screenshot attached.

alt text

Can someone advise what might be causing the inputs.conf defined in "TA for Windows" to not work ? While installing the UF on Windows AD server, i used "local system" account for installing which shouldn't make a difference i believe.

0 Karma

adonio
Ultra Champion

try to add index = * or index = main before your search

neerajshah81
Path Finder

Adonio, thanks a bunch. That worked. But any reason that these events & their count did not show up earlier while searching for "host=AD Server" and right click on the "Sources" or Sourcetypes" In the fields bar on left ?

The moment i ran the search for index=* and index=main, i can see they got listed under Source & Sourcetypes fields on left.

0 Karma

sudosplunk
Motivator

This may be because of "srchIndexesDefault" setting for a user. srchIndexesDefault - is a semicolon-delimited list of indexes to search when no index is specified.
So, if you don't specify the index name in your search, splunk will look at default indexes to search. Hence, inconsistencies in results.

Below is more information of this setting:

srchIndexesDefault =
* A semicolon-delimited list of indexes to search when no index is specified.
* These indexes can be wild-carded (""), with the exception that '' does not
match internal indexes.
* To match internal indexes, start with ''. All internal indexes are
represented by '
'.
* The wildcard character '
' is limited to match either all the non-internal
indexes or all the internal indexes, but not both at once.
* If you make any changes in the "Indexes searched by default" Settings panel
for a role in Splunk Web, those values take precedence, and any wildcards
you specify in this setting are lost.
* Defaults to none.

Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...