How do I resolve splunk app for windows infrastructure event types errors in a distributed environment? They are all enabled but not producing and results.
Eventtype 'perfmon_windows' does not exist or is disabled.
Eventtype 'wineventlog_windows' does not exist or is disabled.
Eventtype 'wineventlog_security' does not exist or is disabled.
Problem solved:
It seems to be more of a permission issue. I access the SH and did a recursive permission change for the Splunk_TA_windows. Check the box for "Replace all child object permissions with inheritable permissions from this object", and restarted splunkd.
These KOs (and other things) are defined in the Splunk_TA_windows app which should always be deployed together with the splunk_app_windows_infrastructure app.
Problem solved:
It seems to be more of a permission issue. I access the SH and did a recursive permission change for the Splunk_TA_windows. Check the box for "Replace all child object permissions with inheritable permissions from this object", and restarted splunkd.
Hi afolabia,
you have three solutions:
index=wineventlog
and the add this eventtype to the others;index=wineventlog
..
The second solution is longer but, for my idea, prefereable because has best performances.
Ciao.
Giuseppe
Thanks, but should i be doing that since all I'm using is the default TA's for windows infrastructure and windows? Also, I do have the eventtype with these included.
Hi afolabia,
I agree with you and I don't know why in many apps there aren't eventtypes with index.
As I said, you can also put the indexes in the default search path for all the roles you have, but in my installations I always customized eventtypes.
If you want, it's another way to give value to your work!
Ciao.
Giuseppe