All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk App for Windows Infrastructure and Missing Empty Lookups

davidjohnbecket
Path Finder
‎07-11-2019 02:06 AM

I have a single splunk server environment that i want to use to monitor windows host (which is also a Domain Controller)

I have installed the Splunk App for Windows Infrastructure, the Splunk Supporting Add-on for Active Directory and the Splunk Add-on for Microsoft Windows on the SearchHead/Indexer/DeploymentMaster.

I am then pushing out the Splunk Add-on for Microsoft Windows to the windows host with inputs.conf enabled in the \local folder via the deployment-apps folder.

I run through the setup and configuration of the Splunk App for Windows Infrastructure, build the lookups and migrate to KV store.

Data is being indexed and is searchable from the default search app but none of the dashboards in the Splunk App for Windows Infrastructure app are returning anything.

No errors in the splunkd log on either of the SH or client.

I have a few questions:

  1. Where are the lookups stored that get built?
  2. When i test a lookup e.g. | inputlookup windows_event_details it returns no results - Why arent these lookups populated?

alt text

I do know from version 6 the index stanza has been removed, and therefore all data is going into the index = main

Could this be the issue?

How do i send data to the specific windows indexes? e.g. index=wineventlog

Preview file
40 KB
0 Karma
Reply

jeremyhagand61
Communicator
‎08-12-2019 06:13 PM

I managed to fix this by changing the renderXml=true to false in every WinEventLog stanza of the inputs.conf.

This is documented here:
https://docs.splunk.com/Documentation/MSApp/1.5.2/MSInfra/DownloadandconfiguretheSplunkAdd-onforWind...

All the wineventlog inputs (Windows, AD, and DNS) will have renderXml=true (Xml Format) by default. Make it false for all WinEventLog Inputs as XML data is not supported.

But it is very easy to miss. After I modified the inputs.conf and redistributed it I regenerated the lookups (Tools and Setting > Build Lookups) and all is happy.

0 Karma
Reply

davidjohnbecket
Path Finder
‎08-12-2019 12:49 AM

thanks jeremyhagand61.

I have opened up a support ticket with Splunk on the lookups problem, they are currently working on it but because its a P3 there hasnt been much traction.

0 Karma
Reply

jeremyhagand61
Communicator
‎08-11-2019 11:19 PM

The doco covering the Index config is here:
https://docs.splunk.com/Documentation/MSApp/1.5.2/MSInfra/DownloadandconfiguretheSplunkAdd-onforWind...

You either have to add the
index = wineventlog

etc. into your Deployment App (and the app on your Splunk Enterprise install.

Not sure why the lookups are empty. I'm having the same issue.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...