All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is Search & Reporting not displaying expected sources?

eckdale
Path Finder
‎05-29-2014 12:45 PM

Splunk newbie here.

I've installed the Splunk App for Windows Infrastructure to my central instance (indexer + search head) and deployed the following application to my 2008 R2 AD DCs: Splunk_TA_windows, TA-DNSServer-NT6, and TA-DomainController-NT6.

Everything appears to be in order but I am not seeing some expected sources in the index. Specifically if I go to Splunk Search and Reporting > Data Summary, I see:

  • WinEventLog:Application
  • WinEventLog:Security
  • WinEventLog:System
  • Perfmon:Memory
  • Perfmon:LocalNetwork
  • Perfmon:FreeDiskSpace
  • Perfmon:CPUTime
  • some more sources...

However if I enter the following search: 

index=winevents source="WinEventLog:DNS Server"

Results are returned which confuses me because WinEventLog:DNS Server isn't listed as an indexed source.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jbernt_splunk
Splunk Employee
Splunk Employee
‎05-29-2014 12:49 PM

Hi there. The reason you're seeing DNS Server, is due to the TA-DNSServer-NT6 addon that is required that you have deployed to your DCs that has specific inputs for DNS Server related eventlogs. Hope this helps.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

eckdale
Path Finder
‎05-29-2014 03:29 PM

I found that by simply editing the 'indexes searched by default' of the applicable user role to include the indexes I cared about resolved the issue.

0 Karma
Reply
Solved! Jump to solution

jbernt_splunk
Splunk Employee
Splunk Employee
‎05-29-2014 01:09 PM

One reason may be that the index(es) used to house the DNS Server traffic may not be in your default-searched-indexes listing under the User role. Also, if you don't see "WinEventLog:DNS Server", you may see "WinEventLog:DNS-Server" (notice the dash). Searching in data summary for "dns" will reveal a bit more.

0 Karma
Reply
Solved! Jump to solution
Solution

jbernt_splunk
Splunk Employee
Splunk Employee
‎05-29-2014 12:49 PM

Hi there. The reason you're seeing DNS Server, is due to the TA-DNSServer-NT6 addon that is required that you have deployed to your DCs that has specific inputs for DNS Server related eventlogs. Hope this helps.

0 Karma
Reply
Solved! Jump to solution

eckdale
Path Finder
‎05-29-2014 01:23 PM

I think you've found the issue. If I search "index=winevents" I see the 4 unique sources that I thought were missing. If I search "source="WinEventLog:Application" I see the index=main. As a Splunk newbie I find the concept of Search & Report not actually searching all of the indexes strange... or maybe it would be more accurate to say that I find it strange that they Splunk App for Windows Infrastructure is placing Windows Event log data into more than one index.

0 Karma
Reply
Solved! Jump to solution

eckdale
Path Finder
‎05-29-2014 01:02 PM

I understand that the TA-DNSServer-NT6 app has specific inputs enabled what I don't understand is why I don't see the 'WinEventLog:DNS Server' as an indexed source unless I explicitly search for it.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

 Prepare to elevate your security operations with the powerful upgrade to Splunk Enterprise Security 8.x! This ...

Get Early Access to AI Playbook Authoring: Apply for the Alpha Private Preview ...

Passionate about security automation? Apply now to our AI Playbook Authoring Alpha private preview ...

Reduce and Transform Your Firewall Data with Splunk Data Management

Managing high-volume firewall data has always been a challenge. Noisy events and verbose traffic logs often ...