Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

WindDHCP app returning no result

williamavila12
Explorer
‎07-18-2011 08:35 PM

I have installed the app and faithfully followed the instructions provided but I still see no result when I try to launch the app.

I know that the sourcetype coming from my DHCP server is not the default "DhcpSrvLog" sourcetype (mine is like "DhcpSrvLog-Mon", "DhcpSrvLog-Tue", and so on) so I did the steps for Field Extractions changing the [DhcpSrvLog] stanza to [DhcpSrvLog-Mon] and so on...to no avail.

At the least I'm seeing these DHCP logs when I do a search on the Search app so I'm sure that the logs are coming in alright.

Can someone please point me in the right direction...I have no idea what's amiss. Will really appreciate all your help. Thanks in advance.

0 Karma
Reply

araitz
Splunk Employee
Splunk Employee
‎07-20-2011 08:35 AM

Per this question:

http://splunk-base.splunk.com/answers/27455/logs-being-sent-with-lwf

Please refer to the app documentation:

http://splunk-base.splunk.com/apps/22353/windows-dhcp

Saved Searches

Most of the saved searches and dashboards depend on the macro WinDHCP_event being defined correctly. By default, this event type is defined as "sourcetype=DhcpSrvLog", so if you have performed the initial step of getting the field extractions to work, you should be all set. If you still have problems, please post to answers.splunk.com using the link on this page.

Thus, for in your case, you should change the macro to be sourcetype=DhcpSrvLog-*. You might have to wait 5 or 10 minutes after that for the dashboard's saved searches to work as expected.

0 Karma
Reply

araitz
Splunk Employee
Splunk Employee
‎07-21-2011 10:52 AM

Glad you solved the issue! Please accept the answer.

0 Karma
Reply

williamavila12
Explorer
‎07-20-2011 07:01 PM

Problem solved...

I followed one of the answers here: http://splunk-base.splunk.com/answers/27455/logs-being-sent-with-lwf basically editing .../etc/system/local/inputs.conf and adding these additional directives;

[monitor://C:\Windows\System32\dhcp]
sourcetype = DhcpSrvLog
crcSalt =
alwaysOpenFile = 1
disabled = false
whitelist = Dhcp.+.log

After service restart...it worked! Thanks for all the help!

0 Karma
Reply

williamavila12
Explorer
‎07-19-2011 11:54 PM

Hi araitz,

this was the search string...

search sourcetype=DhcpSrvLog dhcp_message= | replace "windhcp_" with * in dhcp_message | top dhcp_message

so the sourcetype used for this search was still the default and different from the sourcetypes coming from my forwarder - DhcpSrvLog-Mon. Isn't that supposed to be handled by the changes I made in ../local/props.conf?

Thanks

0 Karma
Reply

araitz
Splunk Employee
Splunk Employee
‎07-19-2011 08:31 AM

On one of the dashboards where you are not seeing results displayed, there will be a link next to 'no results found'. When you click on this link, it should show you some information on the search that was run, including the search itself. Can you let me know what the search string is? In particular, does the sourcetype match up with the sourcetype for your DHCP data in Splunk?

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...