I have installed the app and faithfully followed the instructions provided but I still see no result when I try to launch the app.
I know that the sourcetype coming from my DHCP server is not the default "DhcpSrvLog" sourcetype (mine is like "DhcpSrvLog-Mon", "DhcpSrvLog-Tue", and so on) so I did the steps for Field Extractions changing the [DhcpSrvLog] stanza to [DhcpSrvLog-Mon] and so on...to no avail.
At the least I'm seeing these DHCP logs when I do a search on the Search app so I'm sure that the logs are coming in alright.
Can someone please point me in the right direction...I have no idea what's amiss. Will really appreciate all your help. Thanks in advance.
On one of the dashboards where you are not seeing results displayed, there will be a link next to 'no results found'. When you click on this link, it should show you some information on the search that was run, including the search itself. Can you let me know what the search string is? In particular, does the sourcetype match up with the sourcetype for your DHCP data in Splunk?
this was the search string...
search sourcetype=DhcpSrvLog dhcp_message= | replace "windhcp_" with * in dhcp_message | top dhcp_message
so the sourcetype used for this search was still the default and different from the sourcetypes coming from my forwarder - DhcpSrvLog-Mon. Isn't that supposed to be handled by the changes I made in ../local/props.conf?
Per this question:
Please refer to the app documentation:
Most of the saved searches and dashboards depend on the macro
WinDHCP_event being defined correctly. By default, this event type is defined as "sourcetype=DhcpSrvLog", so if you have performed the initial step of getting the field extractions to work, you should be all set. If you still have problems, please post to answers.splunk.com using the link on this page.
Thus, for in your case, you should change the macro to be
sourcetype=DhcpSrvLog-*. You might have to wait 5 or 10 minutes after that for the dashboard's saved searches to work as expected.
I followed one of the answers here: http://splunk-base.splunk.com/answers/27455/logs-being-sent-with-lwf basically editing .../etc/system/local/inputs.conf and adding these additional directives;
sourcetype = DhcpSrvLog
After service restart...it worked! Thanks for all the help!