All Apps and Add-ons

Setting up Splunk App for Windows Infrastructure with Splunk Add-on for Microsoft Windows: How to resolve issues with getting data via sourcetype?

cyberjj999
New Member

Hello Folks,

I am trying to set up Splunk App for Windows Infrastructure for easier dashboarding and management, however, despite days of research, I am still unable to fix/solve the problem regarding sourcetype.

So far, I have already installed Splunk Add-on for Microsoft Windows and I am able to receive various data already, to show a snippet of my inputs.conf at Splunk Add-on for Microsoft Windows:

```

###### Host monitoring ######
[WinHostMon://Computer]
interval = 600
disabled = 0
index = hostmonitoring
sourcetype=WinHostMon
type = Computer

[WinHostMon://Process]
interval = 600
disabled = 0
index = hostmonitoring
sourcetype=WinHostMon
type = Process

```

I have a lot more configuration but the concept should be clear that I followed the initial inputs.conf in the default and use only the portions which I require.

If I were to search for index=hostmonitoring I will be able to get data just fine, but I am unable to get any data when I search sourcetype=WinHostMon.

The concept is the same regarding the other sourcetypes, Perfmon, WinHostMon, WinPrintMon, and WinRegMon, for some odd reason, ONLY WinEventLogs were "searchable".

Upon researching deeper, even though I included sourcetype={my_input}, it seems like the props.conf requires a matching stanza if not it wouldn't work anyways. On the other hand, I have seen people saying that some app authors do not allow customization of sourcetype. I am truly puzzled by this and I have seen just a few similar queries online but a proper solution was never shared.
https://answers.splunk.com/answers/583743/how-to-enable-sourcetypewinregistry-for-windows-in.html

I am truly struggling with this and I hope someone can help me out!
Thank you very much for taking the time to read this long message!

Labels (3)
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...