All Apps and Add-ons

Windows Infrastructure app lookups have no data

mmqt
Path Finder

Recently updated the WI app to version 1.5.2, on version 1.5.1 I was able to build lookups fine and data was populating. After updating to 1.5.2 none of the lookups populate with data. The lookups themselves are "running" when I run the build, just no data is being added to them

Building lookup - WinApp_Lookup_Build_Perfmon - Update - Server ...
WinApp_Lookup_Build_Perfmon - Update - Server built. (took 0.93s)
Building lookup - WinApp_Lookup_Build_Perfmon - Update - Detail ...
WinApp_Lookup_Build_Perfmon - Update - Detail built. (took 1.49s)
Building lookup - WinApp_Lookup_Build_Event - Update - Server ...
WinApp_Lookup_Build_Event - Update - Server built. (took 0.76s)
Building lookup - WinApp_Lookup_Build_Event - Update - Detail ...
WinApp_Lookup_Build_Event - Update - Detail built. (took 0.31s)
Building lookup - WinApp_Lookup_Build_Hostmon - Update - Server ...
WinApp_Lookup_Build_Hostmon - Update - Server built. (took 0.32s)
Building lookup - WinApp_Lookup_Build_Hostmon_Machine - Update - Detail ...
WinApp_Lookup_Build_Hostmon_Machine - Update - Detail built. (took 0.97s)
Building lookup - WinApp_Lookup_Build_Hostmon_FS - Update - Detail ...
WinApp_Lookup_Build_Hostmon_FS - Update - Detail built. (took 0.32s)
Building lookup - WinApp_Lookup_Build_Hostmon_Process - Update - Detail ...
WinApp_Lookup_Build_Hostmon_Process - Update - Detail built. (took 0.32s)
Building lookup - WinApp_Lookup_Build_Hostmon_Services - Update - Detail ...
WinApp_Lookup_Build_Hostmon_Services - Update - Detail built. (took 0.34s)
Building lookup - WinApp_Lookup_Build_Netmon - Update - Server ...
WinApp_Lookup_Build_Netmon - Update - Server built. (took 0.35s)
Building lookup - WinApp_Lookup_Build_Netmon - Update - Detail ...
WinApp_Lookup_Build_Netmon - Update - Detail built. (took 0.74s)
Building lookup - WinApp_Lookup_Build_Printmon - Update ...
WinApp_Lookup_Build_Printmon - Update built. (took 0.32s)
Building lookup - DomainSelector_Lookup ...
DomainSelector_Lookup built. (took 0.32s)
Building lookup - HostToDomain_Lookup_Update ...
HostToDomain_Lookup_Update built. (took 0.32s)
Building lookup - tHostInfo_Lookup_Update ...
tHostInfo_Lookup_Update built. (took 0.76s)
Building lookup - tSessions_Lookup_Update ...
tSessions_Lookup_Update built. (took 0.35s)
Building lookup - SiteInfo_Lookup_Update ...
SiteInfo_Lookup_Update built. (took 0.34s)
Building lookup - ActiveDirectory: Update GPO Lookup ...
ActiveDirectory: Update GPO Lookup built. (took 0.34s)
Building lookup - ActiveDirectory: Update Group Lookup ...
ActiveDirectory: Update Group Lookup built. (took 0.31s)
Building lookup - ActiveDirectory: Update User Lookup ...
ActiveDirectory: Update User Lookup built. (took 0.33s)
Building lookup - ActiveDirectory: Update Computer Lookup ...
ActiveDirectory: Update Computer Lookup built. (took 0.32s)

The dashboards are populating with data, so i can go to the Windows > Event Monitoring section and data is there and populated. But if I go to Windows > Windows Overview page then all overview panels pulling from the lookups are empty alt text

If I then drill into the search

| inputlookup windows_event_system

I get a zero results returned.
As per this doc:
https://docs.splunk.com/Documentation/MSApp/1.5.2/MSInfra/TroubleshoottheSplunkAppforWindowsInfrastr...
and a few splunk answers:
https://answers.splunk.com/answers/556067/why-is-the-splunk-app-for-windows-infrastructure-u.html

https://answers.splunk.com/answers/180709/how-to-troubleshoot-why-splunk-app-for-windows-inf.html

I've configured a local admin account, that admin account has the role admin,winfra-admin and has access to all indexes. If I go to manage the app permissions I've set everyone to - read/write - perms. So I'm a bit confused as to why nothing is being populated. Does anyone know why this is happening?

Thanks

0 Karma
1 Solution

mmqt
Path Finder

Thanks to @gcusello for suggesting to look into the setup a bit more. After examining some of the saved searches in /default/ I noticed that it was calling a few specific macros

wineventlog-index
windows-index
msad-index
perfmon-index

These macros had predefined index names, like "wineventlog" which if you aren't using that specific name is going to cause the macro to fail.

To modify these macros go to Settings> Advanced Search > Search macros, specify the app for "Splunk App for Windows Infrastructure"
Edit the macros so that its looking the specific index that you use. This solved my problem with running the build lookup script, hope this works for you as well @pir8radio

View solution in original post

mmqt
Path Finder

Thanks to @gcusello for suggesting to look into the setup a bit more. After examining some of the saved searches in /default/ I noticed that it was calling a few specific macros

wineventlog-index
windows-index
msad-index
perfmon-index

These macros had predefined index names, like "wineventlog" which if you aren't using that specific name is going to cause the macro to fail.

To modify these macros go to Settings> Advanced Search > Search macros, specify the app for "Splunk App for Windows Infrastructure"
Edit the macros so that its looking the specific index that you use. This solved my problem with running the build lookup script, hope this works for you as well @pir8radio

pir8radio
Path Finder

Thanks @mmqt i started noticing this, and noticing i had NONE of the indexes it was looking for, figured it would add them automatically. Ill add them and move my inputs into them, Thanks!

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi mmqt,
I had this problem two years ago after an upgrade, because there were differences between add-ons to use.
Check on the documentation if you have the correct version of add-ons.
Then check the searches used to populate lookups: verify if eventtypes correctly run, maybe there's a problem because usually indexes aren't in eventtypes and they are out of default path, so you need to modify your default path or add the index to alla eventtypes.

Bye.
Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi mmqt,
if my answer helped you to solve your problem, please accept and/or upvote it.
Bye.
Giuseppe

0 Karma

pir8radio
Path Finder

I am having the exact same issue.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...