All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

SPLUNK app for Windows not working

jviteka
Explorer
‎11-20-2013 07:31 AM

I am currently having issues with getting my SPLUNK for Windows app to work properly. I have deployed my SPLUNK forwarder to roughly 300 windows boxes but only show a counter performance counter of 2. The Hosts field in Windows shows all 300 servers that I have but the performance does not.

I am trying to search for a specific Windows username that is failing in the Windows Security log but cannot perform this search. If anyone knows an easier way to find the Windows user and events it is tied to I would appreciate it. Also, if there is something wrong with my Windows app please let me know any potential fixes. I am only monitoring the Security eventlog on my Windows boxes. Thanks for the help!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lukejadamec
Super Champion
‎11-20-2013 08:44 AM

EventCode 4648 is a success only event, so it will not show failures.
This search for EventCode 4625 will show the stats for the host name where the failure occurred, the username that failed, and the failure reason:

index=main sourcetype="*wineventlog:security" EventCode=4625 | eval Account_Name=mvindex(Account_Name,1) | stats count by Workstation_Name,Account_Name,Failure_Reason

The Account_Name,1 eval statment is used to get the second occurance of Account_Name in the event, because this is generally the name of interest. If you want the first occurrance in the event, then change the 1 to a 0.

View solution in original post

Reply
Solved! Jump to solution
Solution

lukejadamec
Super Champion
‎11-20-2013 08:44 AM

EventCode 4648 is a success only event, so it will not show failures.
This search for EventCode 4625 will show the stats for the host name where the failure occurred, the username that failed, and the failure reason:

index=main sourcetype="*wineventlog:security" EventCode=4625 | eval Account_Name=mvindex(Account_Name,1) | stats count by Workstation_Name,Account_Name,Failure_Reason

The Account_Name,1 eval statment is used to get the second occurance of Account_Name in the event, because this is generally the name of interest. If you want the first occurrance in the event, then change the 1 to a 0.

Reply
Solved! Jump to solution

jviteka
Explorer
‎11-20-2013 08:30 AM

Event ID 4625 and 4648 is what I am looking for with a specified username.

0 Karma
Reply
Solved! Jump to solution

lukejadamec
Super Champion
‎11-20-2013 08:18 AM

What EventCode is associated with the failure?

Reply
Solved! Jump to solution

jviteka
Explorer
‎11-20-2013 08:11 AM

No I am not collecting data from WMI but I can start. Would you be able to answer the search as a temporary fix in finding all events correlated to a Windows Username?

0 Karma
Reply
Solved! Jump to solution

lukejadamec
Super Champion
‎11-20-2013 08:07 AM

The Windows app requires that performace data be collected via WMI. Are you Windows forwarders collecting WMI performace data? You can also configure the Splunk Indexer to collect WMI data from the remote servers, but the service will need to be running as a Windows Domain user.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...