All Apps and Add-ons

Is there a props.conf timestamp configuration for the Splunk App for Windows Infrastructure?

daniel333
Builder

All,

We just stood up the Splunk App for Windows Infrastructure yesterday, and since doing so, I am getting alerts about log ingestion time being high for the WindowsUpdateLog. I don't see the normal time look ahead and breakers etc. I am not familiar with Windows+Splunk, so before I go and write out props.conf for this, I just wanted to make sure I am right and this was indeed missing from the app?

When I look props.conf, I don't see any timestamp related settings:

[WindowsUpdateLog]
FIELDALIAS-dest_for_windowsupdatelog = host as dest
REPORT-0signature_message_for_windowsupdatelog = signature_message_for_windowsupdatelog
REPORT-1signature_for_windowsupdatelog = signature_for_windowsupdatelog,signature_for_windowsupdatelog_restartrequired,signature_for_windowsupdatelog_signature_message
REPORT-signature_id_for_windowsupdatelog = signature_id_for_windowsupdatelog
REPORT-pid-tid-component_for_windowsupdatelog = pid-tid-component_for_windowsupdatelog
LOOKUP-status_for_windowsupdatelog = windows_update_status_lookup vendor_status OUTPUTNEW status
LOOKUP-vendor_info_for_windowsupdatelog = windows_vendor_info_lookup sourcetype OUTPUT vendor,product
0 Karma

maciep
Champion

I believe there is an add-on that needs to go on the parsing layer of your env (probably the indexer). There's a chart on this page of the documentation that highlights which app/add-on needs to go where.

http://docs.splunk.com/Documentation/MSApp/1.2.1/MSInfra/HowtodeploytheSplunkAppforWindowsInfrastruc...

0 Karma

daniel333
Builder

So the only index time app there is listed there , does not have much time stamping in their props.conf. Seems I Might need to write this myself unless someone else has written it? Hoping i am wrong, as this sounds like a lot of hours.

Looking at my queues, and WIndows logs are a big offender.
Also have a indexing latency dashboard and Windows logs are dominating the list.

0 Karma

maciep
Champion

so are your timestamps incorrect or just alerting that it's taking a relatively long time to parse them out?

I think this is a splunk-supported app, so if it needs addressed, maybe open a case with them to fix it. That could benefit everyone in the end. Not sure the urgency for you resolving the issue though.

0 Karma

daniel333
Builder

Urgency isn't terrible, but I can see it taking a lot of time in my queues. Worst offenders. I think Ill open a support ticket. Not sure I want to go through and write 40 props.conf for a supported app

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...