All,
We just stood up the Splunk App for Windows Infrastructure yesterday, and since doing so, I am getting alerts about log ingestion time being high for the WindowsUpdateLog. I don't see the normal time look ahead and breakers etc. I am not familiar with Windows+Splunk, so before I go and write out props.conf for this, I just wanted to make sure I am right and this was indeed missing from the app?
When I look props.conf, I don't see any timestamp related settings:
[WindowsUpdateLog]
FIELDALIAS-dest_for_windowsupdatelog = host as dest
REPORT-0signature_message_for_windowsupdatelog = signature_message_for_windowsupdatelog
REPORT-1signature_for_windowsupdatelog = signature_for_windowsupdatelog,signature_for_windowsupdatelog_restartrequired,signature_for_windowsupdatelog_signature_message
REPORT-signature_id_for_windowsupdatelog = signature_id_for_windowsupdatelog
REPORT-pid-tid-component_for_windowsupdatelog = pid-tid-component_for_windowsupdatelog
LOOKUP-status_for_windowsupdatelog = windows_update_status_lookup vendor_status OUTPUTNEW status
LOOKUP-vendor_info_for_windowsupdatelog = windows_vendor_info_lookup sourcetype OUTPUT vendor,product
I believe there is an add-on that needs to go on the parsing layer of your env (probably the indexer). There's a chart on this page of the documentation that highlights which app/add-on needs to go where.
So the only index time app there is listed there , does not have much time stamping in their props.conf. Seems I Might need to write this myself unless someone else has written it? Hoping i am wrong, as this sounds like a lot of hours.
Looking at my queues, and WIndows logs are a big offender.
Also have a indexing latency dashboard and Windows logs are dominating the list.
so are your timestamps incorrect or just alerting that it's taking a relatively long time to parse them out?
I think this is a splunk-supported app, so if it needs addressed, maybe open a case with them to fix it. That could benefit everyone in the end. Not sure the urgency for you resolving the issue though.
Urgency isn't terrible, but I can see it taking a lot of time in my queues. Worst offenders. I think Ill open a support ticket. Not sure I want to go through and write 40 props.conf for a supported app