All Apps and Add-ons
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

No data after setting up Add-on for Windows

bobmc859
New Member
‎05-01-2019 09:57 AM

I have deployed Add-on for Windows on one of my servers and I'm not collecting any data. If I don't use the Add-on input.conf and only use the input.conf file located in \etc\system\local it works fine, but if remove the data from that file and use the \etc\apps\Splunk_TA_windows\local file I get nothing. I've restarted the service, rebooted the host machine and I'm not sure where to go from here.

I followed the directions here: https://docs.splunk.com/Documentation/WindowsAddOn/6.0.0/User/Configuration for the configuration of the input.conf and prop.conf files.

Any suggestions what I'm missing what log to look at for error messages?

Thanks,
Bob

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

koshyk
Super Champion
‎05-01-2019 02:09 PM

The best practice is to create an app of yourself , so it is modular and controllable (like deployment server etc.)

  1. Remove any configs you have done in etc/system/local etc. and cleanup any config changes done on Splunk_TA_windows
  2. Create an app (MY_windows_app) within etc\apps and create inputs.conf file within local directory of it. So it will look like . MY_windows_app\local\inputs.conf
  3. Ensure your Splunk_TA_windows is present in etc\apps directory and is NOT modified at all

  4. In your MY_windows_app\local\inputs.conf make an entry like below

    [WinEventLog://Application]
    disabled = 0
    [WinEventLog://Security]
    disabled = 0
    [WinEventLog://System]
    disabled = 0

  5. Restart splunk

Data should come in now correctly if you have setup your indexer and outputs.conf correctly

View solution in original post

0 Karma
Reply
Solved! Jump to solution

danielansell
Path Finder
‎05-02-2019 05:08 AM

Although your question has been answered, was the Windows app sending the data to the default 'windows' index, and you were searching your own index and found no data? Just checking - I'm trying to add to my troubleshooting knowledge base.

0 Karma
Reply
Solved! Jump to solution

bobmc859
New Member
‎05-02-2019 06:16 AM

No data was getting to the splunk instance at all, I did a search on index=* and saw nothing before doing koshyk's suggestion.

0 Karma
Reply
Solved! Jump to solution

danielansell
Path Finder
‎05-02-2019 06:19 AM

Thanks for the response.

0 Karma
Reply
Solved! Jump to solution
Solution

koshyk
Super Champion
‎05-01-2019 02:09 PM

The best practice is to create an app of yourself , so it is modular and controllable (like deployment server etc.)

  1. Remove any configs you have done in etc/system/local etc. and cleanup any config changes done on Splunk_TA_windows
  2. Create an app (MY_windows_app) within etc\apps and create inputs.conf file within local directory of it. So it will look like . MY_windows_app\local\inputs.conf
  3. Ensure your Splunk_TA_windows is present in etc\apps directory and is NOT modified at all

  4. In your MY_windows_app\local\inputs.conf make an entry like below

    [WinEventLog://Application]
    disabled = 0
    [WinEventLog://Security]
    disabled = 0
    [WinEventLog://System]
    disabled = 0

  5. Restart splunk

Data should come in now correctly if you have setup your indexer and outputs.conf correctly

0 Karma
Reply
Solved! Jump to solution

bobmc859
New Member
‎05-01-2019 04:30 PM

Thanks koshyk! That seem to do the trick! I did fail to mention I do have a deployment server and that I was using that, but using your method I simply created the app and deployed it with your suggestions.

Though I do have a couple of quick follow up questions. In the link I referenced it talked about setting up the local.conf and prop.conf files, was that incorrect or was miss understanding something there?

Also using the method you shown me there I wanted to ask, what if I have some one off data I want to ingest in to splunk that is not configured in the MY_windows_app\local\inputs.conf file and I don't want it to be on every server. For example if I have one server that I want to get sysmon data from but not every server. Do I then update the etc/system/local input.conf file for that specifically?

Thanks again!
Bob

0 Karma
Reply
Solved! Jump to solution

koshyk
Super Champion
‎05-02-2019 04:22 AM

then you create your "APP" more specific per input

MY_windows_application_inputs
MY_windows_security_inputs
MY_windows_sysmon_inputs

and in your serverclass, send the above apps as required to the end hosts/clients. The more granular you go, the more control you have and easy to be dynamic.

0 Karma
Reply
Get Updates on the Splunk Community!

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...

AI Adoption Hub Launch | Curated Resources to Get Started with AI in Splunk

Hey Splunk Practitioners and AI Enthusiasts! It’s no secret (or surprise) that AI is at the forefront of ...
Top