I'm getting DNS data in form the DNS Debug logs on a Windows Domain Controller using the Splunk Add-on for Microsoft Windows app. However, the majority of the reports for DNS in the Windows Infrastructure app show no results found. Out of the box, the reports look like this in seach:
msad-index eventtype=msad-dns-debuglog direction="Rcv"|top questiontype,questionname|fix-dnsname(questionname)
If I remove msad-index, I get the results I want...
What is msad-index? How do I... create it?
What version are you using?
The latest Windows TA contains all the necessary add-ons like DNS and AD. Also, you can just modify your existing index to log the events to the correct index mentioned in the app.
Skalli
You need to modify the macros.conf in the Splunk App for Windows Infrastructure 1.5.2, to reflect your custom indexes.
like:
[wineventlog-index]
definition = index=oswin OR index=oswinsec
[perfmon-index]
definition = index=oswinperf
[msad-index]
definition = index=appmsad
[windows-index]
definition = index=oswinscript OR index=netipam OR index=appmsadmon
in /opt/splunk/etc/apps/splunk_app_windows_infrastructure/local
Best Regards.
What version are you using?
The latest Windows TA contains all the necessary add-ons like DNS and AD. Also, you can just modify your existing index to log the events to the correct index mentioned in the app.
Skalli
Thanks Skalli,
You're right, I ended up just redirecting them to the msad index which has resolved my issue.
If I don't set the indexes for each stanza, does it just pick them up from the eventtype?
For future reference;
Splunk Add-on for Microsoft Windows 6.0.0
Splunk App for Windows Infrastructure 1.5.2
Thanks again!
Eventtypes often don't define an index at all and thus just look through the sourcetypes.
Before installing an app, make sure to go through the configs to see which indexes or sourcetypes it's using. Saves you from trouble. 🙂
The versions are fine, thanks for your feedback.
Skalli