All Apps and Add-ons

Setting up Splunk App for Windows Infrastructure with Splunk Add-on for Microsoft Windows: How to resolve issues with getting data via sourcetype?

cyberjj999
New Member

Hello Folks,

I am trying to set up Splunk App for Windows Infrastructure for easier dashboarding and management, however, despite days of research, I am still unable to fix/solve the problem regarding sourcetype.

So far, I have already installed Splunk Add-on for Microsoft Windows and I am able to receive various data already, to show a snippet of my inputs.conf at Splunk Add-on for Microsoft Windows:

```

###### Host monitoring ######
[WinHostMon://Computer]
interval = 600
disabled = 0
index = hostmonitoring
sourcetype=WinHostMon
type = Computer

[WinHostMon://Process]
interval = 600
disabled = 0
index = hostmonitoring
sourcetype=WinHostMon
type = Process

```

I have a lot more configuration but the concept should be clear that I followed the initial inputs.conf in the default and use only the portions which I require.

If I were to search for index=hostmonitoring I will be able to get data just fine, but I am unable to get any data when I search sourcetype=WinHostMon.

The concept is the same regarding the other sourcetypes, Perfmon, WinHostMon, WinPrintMon, and WinRegMon, for some odd reason, ONLY WinEventLogs were "searchable".

Upon researching deeper, even though I included sourcetype={my_input}, it seems like the props.conf requires a matching stanza if not it wouldn't work anyways. On the other hand, I have seen people saying that some app authors do not allow customization of sourcetype. I am truly puzzled by this and I have seen just a few similar queries online but a proper solution was never shared.
https://answers.splunk.com/answers/583743/how-to-enable-sourcetypewinregistry-for-windows-in.html

I am truly struggling with this and I hope someone can help me out!
Thank you very much for taking the time to read this long message!

Labels (3)
0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...