We installed Sideview Utils 2.4 and Splunk for WinSSHD (latest version) on our central search head running v 5.0.2
WARNING: no events found for sourcetype="winsshd". Are you sure you are indexing the data and that it is sourcetyped correctly?
Is there additional configuration needed to point our hosts or enable a scripted input that allows this sourcetype to push data to the app ?
Any help is appreciated
It does mean that either no data is indexed with the sourcetype of "winsshd", or that it's being indexed but into some index other than index="main". Are either of these the case?
If you just go to the Search app, and run the search
sourcetype=winsshd, do you get any events returned?
Nope, should be fine. I think it's probably something big enough that we'll resolve it in 5mins with a phone call or a webex tomorrow. email me at nick [at] sideviewapps.com if you have any free time tomorrow.
Is there any configuration change needed on the search head itself ?
So, I have a forwarder which is pushing data onto a search head and its being written to sourcetype="winsshd"
I can see the data being written against sourcetype="winsshd" (in data inputs etc) but for some reason the App which is sitting on the search head does not acknowledge this.
No such special configuration is required, and in fact if you dont get anything returned for a search for sourcetype=winsshd, that simply means you have no data indexed, with that sourcetype, in index=main. Can you double check that the data input is set up correctly? In the data inputs screen it should list a number of files if it is actively matching files to index, and make sure sourcetype and index are set as you expect.
I do not get any events returned for sourcetype=winsshd.
What if we DO have all our events written to index="main" but for some reason this app needs to be additionally configured to assciated sourcetype="winsshd" with index="main"