All Apps and Add-ons
Highlighted

Is there a props.conf timestamp configuration for the Splunk App for Windows Infrastructure?

Builder

All,

We just stood up the Splunk App for Windows Infrastructure yesterday, and since doing so, I am getting alerts about log ingestion time being high for the WindowsUpdateLog. I don't see the normal time look ahead and breakers etc. I am not familiar with Windows+Splunk, so before I go and write out props.conf for this, I just wanted to make sure I am right and this was indeed missing from the app?

When I look props.conf, I don't see any timestamp related settings:

[WindowsUpdateLog]
FIELDALIAS-dest_for_windowsupdatelog = host as dest
REPORT-0signature_message_for_windowsupdatelog = signature_message_for_windowsupdatelog
REPORT-1signature_for_windowsupdatelog = signature_for_windowsupdatelog,signature_for_windowsupdatelog_restartrequired,signature_for_windowsupdatelog_signature_message
REPORT-signature_id_for_windowsupdatelog = signature_id_for_windowsupdatelog
REPORT-pid-tid-component_for_windowsupdatelog = pid-tid-component_for_windowsupdatelog
LOOKUP-status_for_windowsupdatelog = windows_update_status_lookup vendor_status OUTPUTNEW status
LOOKUP-vendor_info_for_windowsupdatelog = windows_vendor_info_lookup sourcetype OUTPUT vendor,product
0 Karma
Highlighted

Re: Is there a props.conf timestamp configuration for the Splunk App for Windows Infrastructure?

Champion

I believe there is an add-on that needs to go on the parsing layer of your env (probably the indexer). There's a chart on this page of the documentation that highlights which app/add-on needs to go where.

http://docs.splunk.com/Documentation/MSApp/1.2.1/MSInfra/HowtodeploytheSplunkAppforWindowsInfrastruc...

0 Karma
Highlighted

Re: Is there a props.conf timestamp configuration for the Splunk App for Windows Infrastructure?

Builder

So the only index time app there is listed there , does not have much time stamping in their props.conf. Seems I Might need to write this myself unless someone else has written it? Hoping i am wrong, as this sounds like a lot of hours.

Looking at my queues, and WIndows logs are a big offender.
Also have a indexing latency dashboard and Windows logs are dominating the list.

0 Karma
Highlighted

Re: Is there a props.conf timestamp configuration for the Splunk App for Windows Infrastructure?

Champion

so are your timestamps incorrect or just alerting that it's taking a relatively long time to parse them out?

I think this is a splunk-supported app, so if it needs addressed, maybe open a case with them to fix it. That could benefit everyone in the end. Not sure the urgency for you resolving the issue though.

0 Karma
Highlighted

Re: Is there a props.conf timestamp configuration for the Splunk App for Windows Infrastructure?

Builder

Urgency isn't terrible, but I can see it taking a lot of time in my queues. Worst offenders. I think Ill open a support ticket. Not sure I want to go through and write 40 props.conf for a supported app

0 Karma