Solved: Windows Infrastructure App pulling from main index

tminiz · ‎05-25-2014

From several posts I have read that best practice for windows events are to forward them to a winevents index. I've just set up Splunk and at first I sent the data to default main, but recently changed it to winevents.

When I open the Windows Infrastructure app the reports only show indexed data from main and not from winevents index. I've tried changing all index references to index=winevents, but still no success.

Can anyone point me towards which config files I need to change to see the correct data in the reports?

And am I right that it should be indexed to Winevents?

okrabbe_splunk · ‎05-25-2014

The file you are look for is located in "splunk_app_windows_infrastructure/default/eventtypes.conf".

In there you will see the eventtypes that are used through the windows app.

You can edit this file but the right thing to do is to make a copy of this file in splunk_app_windows_infrastructure/local.

Make your changes there so when the app gets upgraded your changes will not be overwritten.

View solution in original post

okrabbe_splunk · ‎05-26-2014

It is difficult to move data to another index and rarely worth it. Now that you have it searching both indexes, I would recommend you leave it as it is. If you want, you can set a retention age on an index and switch the new data to go to main. That way, eventually the data in winevents will age out and it will all be in main.

That being said, I don't think there is a huge advantage other than you wouldn't have to update eventtypes.conf if an app expects the data in main.

tminiz · ‎05-25-2014

Hi. You are right:) It was near the bottom of the eventtype.conf file. I tried searching for it in the file, but must av spelled something wrong. Also it was a very good tip to use to "setting|event type" in the UI. Changed all windows event types to (index="main" OR index="winevents") so i don't miss the old data. Works like a charm!

I understand that moving data from the old index to the new is near impossible or can it be done?

Thanks!

okrabbe_splunk · ‎05-25-2014

You can also use the UI to look at eventtypes.

okrabbe_splunk · ‎05-25-2014

It should be in that directory. I just downloaded the app to confirm and it is defined in eventtypes.conf in the default directory.

[windows_events]
search = sourcetype="WMI:WinEventLog*" OR sourcetype="WinEventLog*"

tminiz · ‎05-25-2014

I see that the result returns as eventtype="windows_events", but that is not a type found in "splunk_app_windows_infrastructure/default/eventtypes.conf". Can it be somewhere else?

okrabbe_splunk · ‎05-25-2014

Have you tried running the search in a normal search window? Any of the dashboard panels you should be able to run the search and see if it is getting data back based on the evnettype.

tminiz · ‎05-25-2014

Are you sure this works for this app? I've tried changing, but it still only showed data from the main index. Even after restart

okrabbe_splunk · ‎05-25-2014

The file you are look for is located in "splunk_app_windows_infrastructure/default/eventtypes.conf".

In there you will see the eventtypes that are used through the windows app.

You can edit this file but the right thing to do is to make a copy of this file in splunk_app_windows_infrastructure/local.

Make your changes there so when the app gets upgraded your changes will not be overwritten.

Windows Infrastructure App pulling from main index

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases