All Apps and Add-ons

Is there a props.conf timestamp configuration for the Splunk App for Windows Infrastructure?

daniel333
Builder

All,

We just stood up the Splunk App for Windows Infrastructure yesterday, and since doing so, I am getting alerts about log ingestion time being high for the WindowsUpdateLog. I don't see the normal time look ahead and breakers etc. I am not familiar with Windows+Splunk, so before I go and write out props.conf for this, I just wanted to make sure I am right and this was indeed missing from the app?

When I look props.conf, I don't see any timestamp related settings:

[WindowsUpdateLog]
FIELDALIAS-dest_for_windowsupdatelog = host as dest
REPORT-0signature_message_for_windowsupdatelog = signature_message_for_windowsupdatelog
REPORT-1signature_for_windowsupdatelog = signature_for_windowsupdatelog,signature_for_windowsupdatelog_restartrequired,signature_for_windowsupdatelog_signature_message
REPORT-signature_id_for_windowsupdatelog = signature_id_for_windowsupdatelog
REPORT-pid-tid-component_for_windowsupdatelog = pid-tid-component_for_windowsupdatelog
LOOKUP-status_for_windowsupdatelog = windows_update_status_lookup vendor_status OUTPUTNEW status
LOOKUP-vendor_info_for_windowsupdatelog = windows_vendor_info_lookup sourcetype OUTPUT vendor,product
0 Karma

maciep
Champion

I believe there is an add-on that needs to go on the parsing layer of your env (probably the indexer). There's a chart on this page of the documentation that highlights which app/add-on needs to go where.

http://docs.splunk.com/Documentation/MSApp/1.2.1/MSInfra/HowtodeploytheSplunkAppforWindowsInfrastruc...

0 Karma

daniel333
Builder

So the only index time app there is listed there , does not have much time stamping in their props.conf. Seems I Might need to write this myself unless someone else has written it? Hoping i am wrong, as this sounds like a lot of hours.

Looking at my queues, and WIndows logs are a big offender.
Also have a indexing latency dashboard and Windows logs are dominating the list.

0 Karma

maciep
Champion

so are your timestamps incorrect or just alerting that it's taking a relatively long time to parse them out?

I think this is a splunk-supported app, so if it needs addressed, maybe open a case with them to fix it. That could benefit everyone in the end. Not sure the urgency for you resolving the issue though.

0 Karma

daniel333
Builder

Urgency isn't terrible, but I can see it taking a lot of time in my queues. Worst offenders. I think Ill open a support ticket. Not sure I want to go through and write 40 props.conf for a supported app

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...