All Apps and Add-ons

No data after setting up Add-on for Windows

bobmc859
New Member

I have deployed Add-on for Windows on one of my servers and I'm not collecting any data. If I don't use the Add-on input.conf and only use the input.conf file located in \etc\system\local it works fine, but if remove the data from that file and use the \etc\apps\Splunk_TA_windows\local file I get nothing. I've restarted the service, rebooted the host machine and I'm not sure where to go from here.

I followed the directions here: https://docs.splunk.com/Documentation/WindowsAddOn/6.0.0/User/Configuration for the configuration of the input.conf and prop.conf files.

Any suggestions what I'm missing what log to look at for error messages?

Thanks,
Bob

0 Karma
1 Solution

koshyk
Super Champion

The best practice is to create an app of yourself , so it is modular and controllable (like deployment server etc.)

  1. Remove any configs you have done in etc/system/local etc. and cleanup any config changes done on Splunk_TA_windows
  2. Create an app (MY_windows_app) within etc\apps and create inputs.conf file within local directory of it. So it will look like . MY_windows_app\local\inputs.conf
  3. Ensure your Splunk_TA_windows is present in etc\apps directory and is NOT modified at all
  4. In your MY_windows_app\local\inputs.conf make an entry like below

    [WinEventLog://Application]
    disabled = 0
    [WinEventLog://Security]
    disabled = 0
    [WinEventLog://System]
    disabled = 0

  5. Restart splunk

Data should come in now correctly if you have setup your indexer and outputs.conf correctly

View solution in original post

0 Karma

danielansell
Path Finder

Although your question has been answered, was the Windows app sending the data to the default 'windows' index, and you were searching your own index and found no data? Just checking - I'm trying to add to my troubleshooting knowledge base.

0 Karma

bobmc859
New Member

No data was getting to the splunk instance at all, I did a search on index=* and saw nothing before doing koshyk's suggestion.

0 Karma

danielansell
Path Finder

Thanks for the response.

0 Karma

koshyk
Super Champion

The best practice is to create an app of yourself , so it is modular and controllable (like deployment server etc.)

  1. Remove any configs you have done in etc/system/local etc. and cleanup any config changes done on Splunk_TA_windows
  2. Create an app (MY_windows_app) within etc\apps and create inputs.conf file within local directory of it. So it will look like . MY_windows_app\local\inputs.conf
  3. Ensure your Splunk_TA_windows is present in etc\apps directory and is NOT modified at all
  4. In your MY_windows_app\local\inputs.conf make an entry like below

    [WinEventLog://Application]
    disabled = 0
    [WinEventLog://Security]
    disabled = 0
    [WinEventLog://System]
    disabled = 0

  5. Restart splunk

Data should come in now correctly if you have setup your indexer and outputs.conf correctly

0 Karma

bobmc859
New Member

Thanks koshyk! That seem to do the trick! I did fail to mention I do have a deployment server and that I was using that, but using your method I simply created the app and deployed it with your suggestions.

Though I do have a couple of quick follow up questions. In the link I referenced it talked about setting up the local.conf and prop.conf files, was that incorrect or was miss understanding something there?

Also using the method you shown me there I wanted to ask, what if I have some one off data I want to ingest in to splunk that is not configured in the MY_windows_app\local\inputs.conf file and I don't want it to be on every server. For example if I have one server that I want to get sysmon data from but not every server. Do I then update the etc/system/local input.conf file for that specifically?

Thanks again!
Bob

0 Karma

koshyk
Super Champion

then you create your "APP" more specific per input

MY_windows_application_inputs
MY_windows_security_inputs
MY_windows_sysmon_inputs

and in your serverclass, send the above apps as required to the end hosts/clients. The more granular you go, the more control you have and easy to be dynamic.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...