All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is Search & Reporting not displaying expected sources?

eckdale
Path Finder
‎05-29-2014 12:45 PM

Splunk newbie here.

I've installed the Splunk App for Windows Infrastructure to my central instance (indexer + search head) and deployed the following application to my 2008 R2 AD DCs: Splunk_TA_windows, TA-DNSServer-NT6, and TA-DomainController-NT6.

Everything appears to be in order but I am not seeing some expected sources in the index. Specifically if I go to Splunk Search and Reporting > Data Summary, I see:

  • WinEventLog:Application
  • WinEventLog:Security
  • WinEventLog:System
  • Perfmon:Memory
  • Perfmon:LocalNetwork
  • Perfmon:FreeDiskSpace
  • Perfmon:CPUTime
  • some more sources...

However if I enter the following search: 

index=winevents source="WinEventLog:DNS Server"

Results are returned which confuses me because WinEventLog:DNS Server isn't listed as an indexed source.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jbernt_splunk
Splunk Employee
Splunk Employee
‎05-29-2014 12:49 PM

Hi there. The reason you're seeing DNS Server, is due to the TA-DNSServer-NT6 addon that is required that you have deployed to your DCs that has specific inputs for DNS Server related eventlogs. Hope this helps.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

eckdale
Path Finder
‎05-29-2014 03:29 PM

I found that by simply editing the 'indexes searched by default' of the applicable user role to include the indexes I cared about resolved the issue.

0 Karma
Reply
Solved! Jump to solution

jbernt_splunk
Splunk Employee
Splunk Employee
‎05-29-2014 01:09 PM

One reason may be that the index(es) used to house the DNS Server traffic may not be in your default-searched-indexes listing under the User role. Also, if you don't see "WinEventLog:DNS Server", you may see "WinEventLog:DNS-Server" (notice the dash). Searching in data summary for "dns" will reveal a bit more.

0 Karma
Reply
Solved! Jump to solution
Solution

jbernt_splunk
Splunk Employee
Splunk Employee
‎05-29-2014 12:49 PM

Hi there. The reason you're seeing DNS Server, is due to the TA-DNSServer-NT6 addon that is required that you have deployed to your DCs that has specific inputs for DNS Server related eventlogs. Hope this helps.

0 Karma
Reply
Solved! Jump to solution

eckdale
Path Finder
‎05-29-2014 01:23 PM

I think you've found the issue. If I search "index=winevents" I see the 4 unique sources that I thought were missing. If I search "source="WinEventLog:Application" I see the index=main. As a Splunk newbie I find the concept of Search & Report not actually searching all of the indexes strange... or maybe it would be more accurate to say that I find it strange that they Splunk App for Windows Infrastructure is placing Windows Event log data into more than one index.

0 Karma
Reply
Solved! Jump to solution

eckdale
Path Finder
‎05-29-2014 01:02 PM

I understand that the TA-DNSServer-NT6 app has specific inputs enabled what I don't understand is why I don't see the 'WinEventLog:DNS Server' as an indexed source unless I explicitly search for it.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...