Getting Data In

Changing Index for ActiveDirectory Sourcetype within Splunk_TA_windows

Builder

Hello All,

I'm using the Splunk_TA_windows app from Splunk to understand windows data. I've modified the app to pour data into the indexes of my choice and everything works fine (I've deployed the Splunk_TA_Windows to all the windows nodes and they are pouring data back as I've specified With the exception of one sourcetype.

Sourcetype = ActiveDirectory

This sourcetype pours it's data into the "main" index. I desire all of ActiveDirectory info to be poured into index = a

As a test to determine how the data was being poured in, i temporarily disabled the Splunk_TA_windows app from it's server class. All of the "ActiveDirectory" info stopped being poured in as the Windows deployment app was dsiabled. Once I turned the app back on all the data began to pour back in (to the main index).

I also noticed under "All Configurations" that the Sourcetype ActiveDirectory had 3 entries all showed the config type was props-extract

I then Navigated over to $SPLUNK_HOME/etc/system/local/ to see if there was an entry made there that would cause this and I see nothing. I tried to create and entry and specify the index = a but it had no affect.

It appears that whatever is causing the sourcetype = ActiveDirectory to pour it's data into main is directly tied o the Splunk_TA_windows app. I cannot locate where or how to modify it so that the Active Directory info goes to the index of my choosing. Thank you for your assistance.

0 Karma
1 Solution

Champion

The admon input included in the TA doesn't list a sourcetype in its default inputs.conf (it's set in code somewhere), so it may not stand out when looking for it, but you can see your admon inputs thusly:

[splunk@indexer ~]$ ./bin/splunk btool inputs list admon
[admon://default]
disabled = 1
host = indexer
index = default
monitorSubtree = 1

This is what is in the default input listing in the TA:

[admon://default]
disabled = 1
monitorSubtree = 1

Wherever you have enabled admon://default is where you should add index = <new index>.

View solution in original post

0 Karma

Explorer

When this sort of thing happens on our environment I use the btool feature to make sure the config loaded corresponds to what I am expecting.

./splunk cmd btool inputs list

You can add "--debug" at the end of the command to see what config file causes what

./splunk cmd btool inputs list --debug

Write it to a file and start digging for the sourcetype you are looking for 🙂

Ref: https://docs.splunk.com/Documentation/Splunk/7.0.1/Troubleshooting/Usebtooltotroubleshootconfigurati...

0 Karma

Champion

The admon input included in the TA doesn't list a sourcetype in its default inputs.conf (it's set in code somewhere), so it may not stand out when looking for it, but you can see your admon inputs thusly:

[splunk@indexer ~]$ ./bin/splunk btool inputs list admon
[admon://default]
disabled = 1
host = indexer
index = default
monitorSubtree = 1

This is what is in the default input listing in the TA:

[admon://default]
disabled = 1
monitorSubtree = 1

Wherever you have enabled admon://default is where you should add index = <new index>.

View solution in original post

0 Karma