All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Event Monitoring dashboard not showing events

jeremyhagand61
Communicator
‎08-11-2019 11:54 PM

Hi,

I've installed and configured this app (v6.0) in a test environment with logs from three Windows servers being indexed into the "wineventlog" index. I can see the events being indexed, Event Monitoring dashboard isn't showing any events.

The input lookup which is supposed to be populating the "Log Name" field isn't returning any results.

When I go to "Tools and Settings > Customise Features' I see that the "Event Monitoring" feature is not selected. I have selected it and clicked Save, but it keeps going back to unticked.

How can I troubleshoot this?

I have run the selection under Tools and Settings to generate the lookups and restarted Splunk

Splunk version 7.3.1
Splunk App for Windows Infra: 1.5.2
Splunk TA Windows: 6.0

Cheers,
Jeremy.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jeremyhagand61
Communicator
‎08-12-2019 06:12 PM

I managed to fix this by changing the renderXml=true to false in every WinEventLog stanza of the inputs.conf.

This is documented here:
https://docs.splunk.com/Documentation/MSApp/1.5.2/MSInfra/DownloadandconfiguretheSplunkAdd-onforWind...

All the wineventlog inputs (Windows, AD, and DNS) will have renderXml=true (Xml Format) by default. Make it false for all WinEventLog Inputs as XML data is not supported.

But it is very easy to miss. After I modified the inputs.conf and redistributed it I regenerated the lookups (Tools and Setting > Build Lookups) and all is happy.

View solution in original post

Reply
Solved! Jump to solution
Solution

jeremyhagand61
Communicator
‎08-12-2019 06:12 PM

I managed to fix this by changing the renderXml=true to false in every WinEventLog stanza of the inputs.conf.

This is documented here:
https://docs.splunk.com/Documentation/MSApp/1.5.2/MSInfra/DownloadandconfiguretheSplunkAdd-onforWind...

All the wineventlog inputs (Windows, AD, and DNS) will have renderXml=true (Xml Format) by default. Make it false for all WinEventLog Inputs as XML data is not supported.

But it is very easy to miss. After I modified the inputs.conf and redistributed it I regenerated the lookups (Tools and Setting > Build Lookups) and all is happy.

Reply
Solved! Jump to solution

teak421
Path Finder
‎05-01-2020 11:21 AM

This happened to me as well. Nice catch!

I wish that the inputs.conf file that comes with WindowsTA would have the correct defaults. Boy, that would save a ton of time!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...