- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello All,
I'm using the Splunk_TA_windows app from Splunk to understand windows data. I've modified the app to pour data into the indexes of my choice and everything works fine (I've deployed the Splunk_TA_Windows to all the windows nodes and they are pouring data back as I've specified With the exception of one sourcetype.
Sourcetype = ActiveDirectory
This sourcetype pours it's data into the "main" index. I desire all of ActiveDirectory info to be poured into index = a
As a test to determine how the data was being poured in, i temporarily disabled the Splunk_TA_windows app from it's server class. All of the "ActiveDirectory" info stopped being poured in as the Windows deployment app was dsiabled. Once I turned the app back on all the data began to pour back in (to the main index).
I also noticed under "All Configurations" that the Sourcetype ActiveDirectory had 3 entries all showed the config type was props-extract
I then Navigated over to $SPLUNK_HOME/etc/system/local/ to see if there was an entry made there that would cause this and I see nothing. I tried to create and entry and specify the index = a but it had no affect.
It appears that whatever is causing the sourcetype = ActiveDirectory to pour it's data into main is directly tied o the Splunk_TA_windows app. I cannot locate where or how to modify it so that the Active Directory info goes to the index of my choosing. Thank you for your assistance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The admon input included in the TA doesn't list a sourcetype in its default inputs.conf (it's set in code somewhere), so it may not stand out when looking for it, but you can see your admon inputs thusly:
[splunk@indexer ~]$ ./bin/splunk btool inputs list admon
[admon://default]
disabled = 1
host = indexer
index = default
monitorSubtree = 1
This is what is in the default input listing in the TA:
[admon://default]
disabled = 1
monitorSubtree = 1
Wherever you have enabled admon://default is where you should add index = <new index>.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When this sort of thing happens on our environment I use the btool feature to make sure the config loaded corresponds to what I am expecting.
./splunk cmd btool inputs list
You can add "--debug" at the end of the command to see what config file causes what
./splunk cmd btool inputs list --debug
Write it to a file and start digging for the sourcetype you are looking for 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The admon input included in the TA doesn't list a sourcetype in its default inputs.conf (it's set in code somewhere), so it may not stand out when looking for it, but you can see your admon inputs thusly:
[splunk@indexer ~]$ ./bin/splunk btool inputs list admon
[admon://default]
disabled = 1
host = indexer
index = default
monitorSubtree = 1
This is what is in the default input listing in the TA:
[admon://default]
disabled = 1
monitorSubtree = 1
Wherever you have enabled admon://default is where you should add index = <new index>.
