All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Splunk Add-on for Windows Setup steps

seungman
Path Finder
‎06-19-2017 11:56 PM

Hi.
I installed Splunk Add-on for Microsoft Windows version 4.8.4 from Splunk 6.5.3.
However after installed this App, There on only message as like bellow:
Overview

The Splunk Add-on for Microsoft Windows provides pre-built data inputs to facilitate Windows system monitoring using Splunk. Check out the Splunk Add-on for Microsoft Windows page on Splunkbase for support information, the latest updates, and more.

Configuration of inputs through this application are global, and might affect how other Splunk applications on the system use those inputs. After configuration, confirm that the changes you make in this application do not negatively alter the other applications.

There are no available menu.
Have you ever installed this apps successfully with my same situation?

Thanks
Seung-Man Jo

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

seungman
Path Finder
‎06-20-2017 12:13 AM

Hi. cusello.
After I installed Apps, there wasn`t inputs.conf file.
Hence I created like below:
[root@ip-172-31-28-27 local]# cat inputs.conf
[WinEventLog://Security]
index=security
current_only=1
evt_resolve_ad_obj=0
renderXml=1
disabled=0

Is it correct inputs.conf file?

Thanks
Seung-Man Jo

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

seungman
Path Finder
‎06-20-2017 12:13 AM

Hi. cusello.
After I installed Apps, there wasn`t inputs.conf file.
Hence I created like below:
[root@ip-172-31-28-27 local]# cat inputs.conf
[WinEventLog://Security]
index=security
current_only=1
evt_resolve_ad_obj=0
renderXml=1
disabled=0

Is it correct inputs.conf file?

Thanks
Seung-Man Jo

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎06-20-2017 12:23 AM

Hi Jo,
yes it's correct.
Usually I prefer to use the default index "wineventlog" instead of a custom one, but you're correct, it's only a practice of mine.
in addition I found that option "renderXml=1" sometimes gives an error and usually I don't use it: you can verify this restarting Splunk Forwarder by CLI, in this way you can see startup messages and eventually configuration errors.

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

seungman
Path Finder
‎06-20-2017 12:38 AM

Hi. cusello.

Thanks quick feedback.
Yes. I deleted the 'renderXml=1' value and reboot OS also.
However still same.
Are there any check point?

Here are my folder information.
[root@ip-172-31-28-27 local]# ll
total 8
-rw------- 1 root root 65 Jun 20 05:26 app.conf
-rw-r--r-- 1 root root 100 Jun 20 07:26 inputs.conf
[root@ip-172-31-28-27 local]# pwd
/etc/apps/splunk/etc/apps/Splunk_TA_windows/local
[root@ip-172-31-28-27 local]#

Thanks
Seung-Man Jo

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎06-20-2017 12:51 AM

Hi Jo,
You don't need to reboot OS, only Splunk Forwarder.

Sorry but examining your information, I see that you're running TA_Windows on a Unix system! TA_Windows must be installed on the target Windows server to monitor, not on the Splunk Enterprise Server!
You can deploy it manually or using a Deployment Server, anyway it must run on a Windows server!

See very carefully documentation at https://docs.splunk.com/Documentation/Splunk/6.6.1/Data/WhatSplunkcanmonitor

Bye.
Giuseppe

P.S., if you're satisfied by my answer accept it.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎06-20-2017 12:10 AM

Hi seungman,
did you followed instructions on http://docs.splunk.com/Documentation/WindowsAddOn/latest/User/AbouttheSplunkAdd-onforWindows ?
Anyway, you have to analyze the scope of your monitoring and enable only inputs in your scope.
To enable these inputs you have to modify inputs.conf file in $SPLUNK_HOME\etc\apps\local changing "1" with "0" in the "disabled" options.
Remeber that if there isn't inputs.conf in local folder, you have to copy it from default folder, don't modify the one in default folder, because you'll lose your changes at the first upgrade.
It's important to define the scope of your monitoring because Windows is very verbose and you could receive too many logs.
Bye.
Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...