- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- DNS in the Windows Infrastructure app
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm getting DNS data in form the DNS Debug logs on a Windows Domain Controller using the Splunk Add-on for Microsoft Windows app. However, the majority of the reports for DNS in the Windows Infrastructure app show no results found. Out of the box, the reports look like this in seach:
msad-index eventtype=msad-dns-debuglog direction="Rcv"|top questiontype,questionname|fix-dnsname(questionname)
If I remove msad-index, I get the results I want...
What is msad-index? How do I... create it?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What version are you using?
The latest Windows TA contains all the necessary add-ons like DNS and AD. Also, you can just modify your existing index to log the events to the correct index mentioned in the app.
Skalli
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need to modify the macros.conf in the Splunk App for Windows Infrastructure 1.5.2, to reflect your custom indexes.
like:
[wineventlog-index]
definition = index=oswin OR index=oswinsec
[perfmon-index]
definition = index=oswinperf
[msad-index]
definition = index=appmsad
[windows-index]
definition = index=oswinscript OR index=netipam OR index=appmsadmon
in /opt/splunk/etc/apps/splunk_app_windows_infrastructure/local
Best Regards.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What version are you using?
The latest Windows TA contains all the necessary add-ons like DNS and AD. Also, you can just modify your existing index to log the events to the correct index mentioned in the app.
Skalli
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Skalli,
You're right, I ended up just redirecting them to the msad index which has resolved my issue.
If I don't set the indexes for each stanza, does it just pick them up from the eventtype?
For future reference;
Splunk Add-on for Microsoft Windows 6.0.0
Splunk App for Windows Infrastructure 1.5.2
Thanks again!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Eventtypes often don't define an index at all and thus just look through the sourcetypes.
Before installing an app, make sure to go through the configs to see which indexes or sourcetypes it's using. Saves you from trouble. 🙂
The versions are fine, thanks for your feedback.
Skalli
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...
Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...
