hi @gcusello 

Thanks for your reply. 

I have done this and its the same. 

• put wineventlog index in the default path [Settings -- Roles -- <your_role> Indexex] for the roles you're using;       - Added this and its the same no events showing up still. 

• modify each eventtype of the app adding "index=wineventlog". -- As you can see in my post i have put index on each eventtype i think?

Thanks

Hi @gethersj,

usually the problem is default path!

Anyway, open a panel of that dashboard in search and debug it deleting, one by one, from the end, the commands until last pipe "|".

In this way you can understand what is the problem that's blocking your panels.

I don't have at hand this app, could you share the search you're speaking?

Ciao.

Giuseppe

This is the search that it executes:

| inputlookup windows_event_details | table LogName, SourceName, TaskCategory, EventCode | sort LogName, TaskCategory, EventCode

IF i run index="wineventlog" i get thousands of returned values. Just cant see why the Windows App doesnt show the events. 

Thanks

Hi @gethersj,

this panel uses a lookup.

At first see, using Lookup Editor, if in this lookup you have values.

• If yes, check the grants on this lookup.
• If not (more easy!) you have to understand why this lookup doesn't contain values.

To do this, see in the scheduled searches which is the search that put values in this lookup: you can recognize it because at the end you'll find "| outputlookup windows_event_details ".

Then debug this search using the above way.

Ciao.

Giuseppe

Hi @gcusello 

I am a little lost now to be honest. 

I have gone to Settings > Lookups > Automatic Lookups  - take it i should be able to see  a lookup called windows_event_details? 

I have ran a dashboard that does work and the lookup here looks like this: | inputlookup windows_perfmon_details | eval Perfmon_Counter=counter | eval Perfmon_Counter_Category=object | dedup Perfmon_Counter, instance | table Perfmon_Counter_Category, Perfmon_Counter, instance | sort Perfmon_Counter_Category, Perfmon_Counter, instance

Thanks

Hi @gethersj,

no: automatic lookups is a way to reduce code in your searches because if you have an automatic lookup, you don't need to call a lookup using the lookup command.

Have you installed on your Search Head the Splunk_TA_Windows App?

Because the scheduled search that put values in the lookup uses an Eventtype (wineventlog_windows) defined in this App.

Ciao.

Giuseppe

Yes that app is installed. Very weird this is 😕 

Thanks

Hi @gethersj,

the scheduled search that populates the lookup is "WinApp_Lookup_Build_Event - Update - Detail", please try to manually execute it.

if you haven't results, please try this:

eventtype="wineventlog_windows" index=wineventlog
| dedup EventCode, LogName
| fields + LogName, EventCode, SourceName, TaskCategory, Type, EventCodeDescription, Message
| eval EventCodeDescription=if(isnull(EventCodeDescription) OR len(trim(EventCodeDescription))==0 OR EventCode=="No Description Available-Update windows_eventcode_definitions", mvindex(split(Message, "."), 0), EventCodeDescription)
| table LogName, EventCode, SourceName, TaskCategory, Type, EventCodeDescription
| eval _key = LogName . "___" . EventCode . "___" . SourceName . "___" . TaskCategory . "___" . Type . "___" . EventCodeDescription
| outputlookup windows_event_details append=true

if you have now results, the problem is the path I said in my first answer.

If it doesn't run, you have to debut it deleting one by one the rows until last pipe "|".

You have to find which is the row that blocks the results.

Probably the problem is in the dedup command.

If you haven't any result also using only the main search

Ciao.

Giuseppe

Hi @gcusello 

I tried executing that manually and i got 0 results. 

Entering just eventtype="wineventlog_windows" index=wineventlog i get results. 

But anything after the first pipe i get 0 results , so your expectations were correct. 

Do you know if there is a workaround for this, or do i need to start from start with it all?

Thanks

Hi @gethersj,

this means that there isn't any extraction for or the field EventCodethe field LogFile, so the results of dedup i zero!

The first is surely present, I'm not sure about the second one.

You can check this, running only the main search

eventtype="wineventlog_windows" index=wineventlog

See if the fields EventCode and LogFile are present.

If one of them (e.g. LogFile) is missing, you have three ways:

• seeing what happens removing the second field in dedup,
• search in the main search if there's another field with the content of LogFile, maybe is only written in a different way,
• try to extract by yourself the LogFile field.

One dubt:

are you using the last versions of Splunk_TA_Windows and Splunk App for Windows Infrastructure?

Which is the version of Windows of the target server?

The last versions of Windows changed the logs format, maybe there's a parsing problem. 

Ciao.

Giuseppe