All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk App for Windows Infrastructure: Why are WinEventLog configurations not indexing any data?

amithhegde
New Member
‎08-12-2015 04:56 AM

I have the Windows Infrastructure app installed on a Windows machine. The monitor stanza and the powershell scripts are working fine, but the Winevent logs with the following config are not indexing any data.

[WinEventLog:DFS Replication]
 disabled=0
 sourcetype="WinEventLog:DFS Replication"
 index=winevents
 queue=parsingQueue

 # Application and Services Logs - Directory Service

 [WinEventLog:Directory Service]
 disabled=0
 sourcetype="WinEventLog:Directory Service"
 index=winevents
 queue=parsingQueue

 # Application and Services Logs - File Replication Service

 [WinEventLog:File Replication Service]
 disabled=0
 sourcetype="WinEventLog:File Replication Service"
 index=winevents
 queue=parsingQueue

Please guide me where am I going wrong?

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎08-13-2015 02:12 PM

Two semi-general suggestions:

If it's installed on the local machine, is that local machine a Domain Controller?

You do have a "winevents" index on the indexer this gets sent to, right? If not, create that. I believe I had a problem where that app didn't create one of the indexes, though I don't recall which one. This could be your problem.

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎08-14-2015 08:10 AM

Well, something I noticed and I have no idea if it's a problem or not, but all my DCs have their various sourcetypes set with no spaces in it.

For instance, on the one I checked, C:\Program Files\SplunkUniversalForwarder\etc\apps\TA-DomainController-NT6\default\inputs.conf says:

[WinEventLog://File Replication Service]
disabled=0
sourcetype=WinEventLog:File-Replication-Service
index=wineventlog
queue=parsingQueue

Try changing them to dashes and not spaces in those stanza and restart the UF?

0 Karma
Reply

amithhegde
New Member
‎08-14-2015 06:55 AM

Hi Rich,

Thanks for replyin, yes I have the "winevents" index created, and the machine I want to gt events from is not a local machine. But i have deployed the DomainController App on the machine in question.

Kindly let me know if I am missing something. Any suggestions on this would be really helpful.

0 Karma
Reply
Get Updates on the Splunk Community!

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

Observability Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestSplunk APM's New Tag Filter ExperienceSplunk APM has updated ...