All Apps and Add-ons

Splunk for Windows Infrastructure: Is access to DNS or Active Directory mandatory for this app?

mfrost8
Builder

I'm a little confused about the Splunk for Windows Infrastucture app. This seems to be the Splunk 6.x replacement for the older "Splunk for Windows". (I'm running Splunk 6.2.x).

I wanted to use this app to look at OS data, but I don't/won't have access to DNS or Active Directory data (i.e. we have no privileges for either of those technologies in my organization). The docs make it seem like this is really mandatory.

I'm running Splunk 6, so it doesn't seem like I could go back to the "Splunk for Windows 5.x" app either. I'm confused -- what if I only want to know local server (CPU, memory, process, service, event logs, etc) and want that wrapped in a nice dashboard that I don't have to write from scratch?

Thanks

rostendorf_splu
Splunk Employee
Splunk Employee

I don't see anything in the "Splunk for Windows Infrastucture app" documentation saying DNS or Active Directory (AD) data is mandatory.

I was able to install the "Splunk Add-on for Microsoft Windows" on a windows server acting as a forwarder, and then install "Splunk App for Windows Infrastructure" on a Linux search head (all systems only using IP addresses w/no AD).

When installing the "Splunk for Windows Infrastucture app" on the search head, there is a guided setup where you may need to check the "Bypass-Prerequite checks" since you don't have AD data, but you can still go through this useful wizard to detect what data is coming.

Once the app is configured and you are in it, I thought the Event Monitoring and Performance Monitoring selections under the Windows drop down were particularly useful.

The app does require access to the perfmon, windows, and wineventlog indexes which need to be created for the add-on. This means, under settings > access controls > roles, these indexes need to be added under "Indexes searched by default", and the user needs to log out and log back in.

mfrost8
Builder

I guess I'm a lot confused then :-). While we do use AD (and DNS), it's not a system that my team has rights to interface with other than as mere users.

We run pooled search heads (yes, deprecated, but not able to get off of it that quickly) on Linux. Definitely have Windows data from UF's going to Linux indexers. When I put Splunk for Windows Infrastructure 1.1.3 on the Linux search heads, restart, then try to go into the app, I never get any first time setup page. I've wiped it out and restarted and untar'd it back into the search dir several times and get the same result. When I enter the app, I get the Splunk logo in the upper left, a gray navigation bar with no graphics on it (certainly not the progress bar indicated in the docs) a header that says "Additional Resources" and then 2 links below that for "Documentation" and "Learn more about building custom app dashboards". So the only functional parts of that page are things that go right to Splunk's documentation.

It's probably just me, but I find the documentation for this app rather confusing, but I think because nothing clearly indicated the AD and DNS components were optional, that the lack of those components were why I didn't get anything beyond the simple non-functional page I mentioned above. When I re-read the docs, they seemed to say that I have to install the Splunk add-on for Windows on the search head which makes no sense unless you're search head is Windows (docs don't say that). I tried adding the Splunk_TA_windows anyway and got loads of errors at startup and no difference when entering the Splunk app for Windows Infrastructure.

Something's just not working right with this app and I don't know what/why.

Thanks

0 Karma

rostendorf_splu
Splunk Employee
Splunk Employee

@mfrost8 - The "Splunk for Windows Infrastucture app" documentation seems to assume the entire environment (SH, IDX, and UVF) is running on windows, so that's why it says put the Add-on everywhere. I also see it does not show the AD components are optional, but I don't see any dependance on this, so don't think they are required.

I have a Linux SH and IDX, so I did not install the windows add-on there, only on the windows forwarder, and the Infrastucture app on the SH. So no, I don't think you need it anywhere but your windows forwarders! I also don't have AD or DNS components installed.

The App loads fine for me on the linux SH, but it's missing the AD info, which is expected. No weirdness with the interface like you described. It should just open right up to the guided setup.

I think you have something else going on with the install of the infrastructure app on your SH, and it's not related to the AD/DNS components not being installed.

Perhaps the issue is related to your pooled search heads, and how the app is configured? Could you try deploying the app on just one of your search heads locally to see if that makes a difference? Seems unlikely but maybe worth a try?

Another possibility is this is a browser related issue? Could you try different web browsers?
You could also look at the logs on your SH to see if you notice anything pertinent when reproducing the behavior.

0 Karma

mfrost8
Builder

Huh. I turned off search head pooling and reinstalled the app in $SPLUNK_HOME/etc/apps.

I then tried hitting the app from the apps pull-down menu (assuming I'd get the first-time setup page).

Using my default browser, Chrome 43, I get that same page with nothing but the 2 links on it. Using IE11, same thing.

But when I tried this with Firefox 31, I got the first-time setup stuff and was able to "bypass checks" along the way and complete the first time setup.

Oddly, even after I completed the first-time setup, IE11 and Chrome 43 both still gave me the same not-useful page with the 2 links on it. I've even tried going to Settings->User interface to open the views directly in chrome and IE and I still get the "2 links" page only.

0 Karma

mfrost8
Builder

Also interesting is that if I do "View Source" in Chrome, I certainly see sections that seem to correspond to what I see displayed in Firefox, it just doesn't render it in Chrome or IE11.

0 Karma

rostendorf_splu
Splunk Employee
Splunk Employee

Any Javascript errors on IE11 or Chome? Perhaps check F12 in IE to debug....Also maybe try clearing browser cache & cookies? I tested my instance against IE 11 and Chrome... no problems getting to first time setup.

0 Karma

mfrost8
Builder

I cleared my cache in IE11 and get the same result. Hit F12 in IE -- doesn't show any javascript errors. I am not familiar with debugging via F12 so I'm not quite sure what to do there.

I asked some other people to try this via their browsers. So far only one has replied, but he gets the exact same results in Chrome (he has IE8 which isn't supported at all with Splunk 6.2).

0 Karma

rostendorf_splu
Splunk Employee
Splunk Employee

Perhaps there is some other corporate software like an AV extension (or other browser extension/plugin) on the IE/Chrome browser that is blocking the loading of the page? Or maybe there are some kind of javascript/security restrictions on these browsers.

The fact that it works for you on Firefox indicates it is likely browser related. I can also confirm it works for me in IE and Chrome.

There is some info on the web regarding diagnosing Javascript. This site might be useful:
https://codex.wordpress.org/Using_Your_Browser_to_Diagnose_JavaScript_Errors

0 Karma

mfrost8
Builder

I had been trying this on Windows where there's definitely a suite of security apps running. I tried it on my linux workstation where there are no such restrictions and see the same pattern: Firefox works fine, Chrome does not.

I don't know what I was looking at before when hitting F12, but when I look at it now under Chrome or IE11 on any OS, I'm seeing

Refused to execute script from 'https://:8000/dj/static/js/build/splunkjs.min/config.js' because its MIME type ('text/x-js') is not executable, and strict MIME type checking is enabled.

So apparently, the following is in the HTTP header

X-Content-Type-Options: nosniff

which causes Chrome and IE11 to generate this. Presumably because Splunk hasn't set the type for javascript properly on this page. (Shouldn't it be "application/javascript"?).

The search heads are running SuSE and I have seen and applied http://docs.splunk.com/Documentation/Splunk/6.2.3/Troubleshooting/SuSeLinuxerror even though it's not really this MIME type.

I guess what really surprises me is that Firefox works -- that it does not seem to enforce this as well.

0 Karma

rbal_splunk
Splunk Employee
Splunk Employee

Splunk Add-on for Microsoft Windows is old App that only work for 5.x version.

This was replaced by "Splunk Add-on for Microsoft Windows" , which gather most of windows specific data.
To display this and other addition data App "Splunk App for Windows Infrastructure" is provided by Splunk.

Now if you don't want to use windows Infr app, you could just install "Splunk Add-on for Microsoft Windows" and get required data and create your own Dashboard and views.

mfrost8
Builder

Thanks. I'm aware of that. My problem is that I'm trying to use the Splunk app for Windows Infrastructure, but it seems to require that I tie it into AD and DNS. I do not have access to AD or DNS nor am I likely to. From the docs, it seems like it is then impossible to complete setup of this app and thus to use it if I don't have that AD access.

0 Karma

rostendorf_splu
Splunk Employee
Splunk Employee

@mfrost8 - See my comment below...

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...