All Apps and Add-ons

Content Pack for Windows Dashboards and Reports data not showing

karampatsis
Engager

Hello, I am using Splunk Enterprise with IT Essentials Work, Windows Addon and Content Pack for Windows Dashboards and Reports. I made all the necessary configurations for Content Pack for Windows Dashboards and Reports but still I can not see any data in dashboards or the reports. 

In eventtypes.conf file in DA-ITSI-CP-windows-dashboards/local folder i made the following changes 

[windows_index_windows]
definition= index=windows OR index=main

[perfmon_index_windows]
definition= index=perfmon OR index=itsi_im_metrics

[wineventlog_index_windows]
definition= index=wineventlog OR index=main
 
The think the problem starts from the fact that eventtypes are not recognized in searches.
For example the search  (eventtype=msad-successful-user-logons OR eventtype=msad-failed-user-logons) returns nothing.
In eventttypes.conf the above stanza is:
[msad-successful-user-logons]
search = eventtype=wineventlog_index_windows eventtype=wineventlog_security EventCode=4624 user!="*$"
 
If i run the search:
index=main EventCode=4624 user!="*$" i get results.
 
Can someone help me to solve the problem?
 
Thanks

[msad_index_windows]
search= index=msad OR index=main
Labels (3)
0 Karma
1 Solution

Tom_Lundie
Contributor

Hello,

With these sorts of issues it's best to work your way down to eliminate the possible causes.

Take an exemplar broken search from the dashboard and try to run it manually:
eventtype=msad-successful-user-logons

 

If that doesn't work try to run the definition manually:
eventtype=wineventlog_index_windows eventtype=wineventlog_security EventCode=4624 user!="*$"

 

If that works, make sure the msad-successful-user-logons definition is correct and shared properly. If not, try expanding your index eventtype:
(index=msad OR index=main) eventtype=wineventlog_security EventCode=4624 user!="*$"

 

If that works, make sure your definition is correct and shared properly. If not, try expanding the wineventlog_security eventtype:
(index=msad OR index=main) (search = source=WinEventLog:Security OR source=WMI:WinEventLog:Security OR source=XmlWinEventLog:Security) EventCode=4624 user!="*$"

 
If that works, make sure Splunk_TA_windows is installed the wineventlog_security eventtype is working. If that doesn't work then your problem is not with the eventtype definitions, but rather with the data itself. Things to try:
 
  • Do you have Splunk_TA_windows installed on your indexers/search heads?
  • Are the source's renamed correctly as per TA_Windows ta-windows-fix-xml-source definition and the requirements of the wineventlog_security eventtype?
  • Are your indexes correct and populated within the search timeframe?

Finally, if you still can't get results, try stripping of key values from the search to check if the search is working:
(index=msad OR index=main) (search = source=WinEventLog:Security OR source=WMI:WinEventLog:Security OR source=XmlWinEventLog:Security)

If you get results, the problem is with the field extractions: EventCode=4624 user!="*$" check that Splunk_TA_windows is working as expected, check your inputs, props and transforms are all aligned.

Good luck!

View solution in original post

0 Karma

karampatsis
Engager

Does anyone know why eventtype

[wineventlog_index_windows]
definition= index=wineventlog OR index=main

doesn't return something?

Am I doing something wrong in the eventtypes.conf file or should I declare it somewhere else as well?

Thank you very much

0 Karma

Tom_Lundie
Contributor

I think I can see the issue here:

 

[wineventlog_index_windows]
definition= index=wineventlog OR index=main

 

This should be:

 

[wineventlog_index_windows]
search = index=wineventlog OR index=main

 

Note the "search" directive instead of "definition". Definition is used in macros.conf. Let me know how you get on 🙂

0 Karma

karampatsis
Engager

Tom everything seems to be working fine.
Your help was crucial in finding the problem.
Thank you very much

0 Karma

Tom_Lundie
Contributor

Hello,

With these sorts of issues it's best to work your way down to eliminate the possible causes.

Take an exemplar broken search from the dashboard and try to run it manually:
eventtype=msad-successful-user-logons

 

If that doesn't work try to run the definition manually:
eventtype=wineventlog_index_windows eventtype=wineventlog_security EventCode=4624 user!="*$"

 

If that works, make sure the msad-successful-user-logons definition is correct and shared properly. If not, try expanding your index eventtype:
(index=msad OR index=main) eventtype=wineventlog_security EventCode=4624 user!="*$"

 

If that works, make sure your definition is correct and shared properly. If not, try expanding the wineventlog_security eventtype:
(index=msad OR index=main) (search = source=WinEventLog:Security OR source=WMI:WinEventLog:Security OR source=XmlWinEventLog:Security) EventCode=4624 user!="*$"

 
If that works, make sure Splunk_TA_windows is installed the wineventlog_security eventtype is working. If that doesn't work then your problem is not with the eventtype definitions, but rather with the data itself. Things to try:
 
  • Do you have Splunk_TA_windows installed on your indexers/search heads?
  • Are the source's renamed correctly as per TA_Windows ta-windows-fix-xml-source definition and the requirements of the wineventlog_security eventtype?
  • Are your indexes correct and populated within the search timeframe?

Finally, if you still can't get results, try stripping of key values from the search to check if the search is working:
(index=msad OR index=main) (search = source=WinEventLog:Security OR source=WMI:WinEventLog:Security OR source=XmlWinEventLog:Security)

If you get results, the problem is with the field extractions: EventCode=4624 user!="*$" check that Splunk_TA_windows is working as expected, check your inputs, props and transforms are all aligned.

Good luck!

0 Karma

karampatsis
Engager

Hello Tom,

thank you very much for your answer.

Τesting the ones you sent me I noticed that if I search for example for:

eventtype=wineventlog_index_windows eventtype=wineventlog_security

I do not get any results, the same if I make a search for:  eventtype=wineventlog_index.

But if I try for : eventtype=wineventlog_security  I am getting results.

In eventtypes.conf file in DA-ITSI-CP-windows-dashboards/local folder i made the following changes 

[windows_index_windows]
definition= index=windows OR index=main

[perfmon_index_windows]
definition= index=perfmon OR index=itsi_im_metrics

[wineventlog_index_windows]
definition= index=wineventlog OR index=main
 
Do you have any idea why this is happening? 
 
When you are writing "definition is correct and shared properly" what exactly do you mean?
 
Thanks in advance
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...