All Apps and Add-ons

Splunk App for Windows Infrastructure, Guided setup problems

marcusmartin
Path Finder

Hi, banging my head against a wall with this, some background, Basically i have had to recreate a new indexer search head which is standalone to the version 8, i have managed to import the old data in after some head scratching.

 

I want to use the splunk app for windows infrastructure but when going through the guided setup i get this 

marcusmartin_0-1604059984218.png

All prereqs were passed 

marcusmartin_1-1604060017157.png

 

I have followed the guide and deployed the Splunk_TA_Windows app to one of my DC's 

On further investigation and after restarting the splunk services i noticed all the indexes it is trying to search in the guided setup dont exist.  Im obviously out of my depth with this and am going around in circles have what have i missed?

Any help appreciated because im stumped. Regards M

Labels (2)
0 Karma

marcusmartin
Path Finder

Hi Good News, i have with your help got this fixed, had to creat the msad index as it did not exist. also i noticed in the inputs file that i hadnt enabled some settings.

0 Karma

marcusmartin
Path Finder

I am ingesting data from all my domain controllers, it was setup to get logons and logoffs and all group changes, i can see the data.

I created the index MSAD but unfortunately no dice. I also copied the inputs.conf file into the local directory on the DC that i have the app deployed to.

0 Karma

dangeloma
Explorer

Can you determine if data for those sourcetypes exist? Maybe run a search for each of those sourcetypes across the past 24 hours to make sure you are even ingesting that data. If so, determine which index the data is going to and see if that index aligns with the index the app is searching. You may need to change which index the app is searching or send the data to the index the app is searching. I remember when I set up the add-ons and apps for Windows all of the recommendations for sourcetypes and indexes were covered in the docs. 

https://docs.splunk.com/Documentation/MSApp/2.0.1/MSInfra/DownloadandconfiguretheSplunkAdd-onforWind...

I know you said the indexes aren't present and you rebuilt the indexer, maybe the data is going to an index that no longer exists on the indexer. Bottom line, I would determine if you are even getting the data into an index and go from there. Hope this provides some help.

marcusmartin
Path Finder

marcusmartin_0-1604064356890.png

So I went back and re read that link and noticed i hadnt changed the mode to single. I did that and now at least most of them seem to be coming through, the sourcetypes are there now. the MSAD one is the one i created the index for which i am now about to delete.

 

marcusmartin
Path Finder

marcusmartin_0-1604063321621.png

apologies for my lack of understanding of this product i can never seem to get a handle on how it works. i typed sourcetypes in the seach and the only matching terms are these

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

If the indexes don't exist then create them.

---
If this reply helps you, an upvote would be appreciated.

marcusmartin
Path Finder

thanks i had created one of the indexes to see if that solved the issue but it hasnt i will create the others and see if that works

 

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.