Getting Data In

How do I get useful information\reports from Splunk about Windows desktops and servers?

gph12
Explorer

Hi Everyone,

How can I get useful information and\or reports from Splunk? I'm new to Splunk and we have a compliance requirement to meet by the end of the month. We need to configure Splunk to email reports to Sys Admins each day with highlights, critical issues, etc. Of course, there's no time for training and we have other pressing issues so I'm basically doing this in between other responsibilities...like everyone these days.

We rolled it out on one of our smaller networks of less than 50 Windows desktops and servers. The Splunk server is installed and the clients are sending logs to it via the Universal Forwarder. But I don't understand Splunk enough to get what I need.

With Windows Event Viewer, you can sort the System and Application logs by Level. Then you can see the entries by whether they are Errors, Warnings, and Informational. The errors with red exclamation points are what we reviewed before Splunk. I'd like to get the equivalent of that for each desktop and server. Then I'd like to get a summary of the major errors for all desktops and servers. Then I need to create daily reports and get them emailed to me (or a link to a report emailed).

I went through the Search Tutorial but need more real world examples. I'd appreciate quick tips, video links or a direction on where to start.

Thanks in advance.

Greg

0 Karma
1 Solution

lukas_loder
Communicator

Have you installed the Windows-TA app on your forwarder? and on your Indexer/server?

This search

index={your Index} type=1

Gets you all the critical windows events. with host={your host} you can also just get the logs from one server

with this one you get a list of which eventcode you got how often

index={your index} type=1 | stats count by EventCode

Go forward and specify your search until you have everythin you want. And then go on the top right and click "Save As" --> "Report"
There you can specify where the E-Mail should be sent and how often the Report is sheduled.

If you haven't configured your E-Mail on the splunk go on the server --> Settings --> Server settings --> E-Mail settings and configure your e-mail there..

View solution in original post

0 Karma

lukas_loder
Communicator

Have you installed the Windows-TA app on your forwarder? and on your Indexer/server?

This search

index={your Index} type=1

Gets you all the critical windows events. with host={your host} you can also just get the logs from one server

with this one you get a list of which eventcode you got how often

index={your index} type=1 | stats count by EventCode

Go forward and specify your search until you have everythin you want. And then go on the top right and click "Save As" --> "Report"
There you can specify where the E-Mail should be sent and how often the Report is sheduled.

If you haven't configured your E-Mail on the splunk go on the server --> Settings --> Server settings --> E-Mail settings and configure your e-mail there..

0 Karma

gph12
Explorer

No, I haven't. Didn't know about it. Thanks for the information. I will try it this afternoon.

Is there anything else like this that is a must for a Windows shop that experienced Splunk admins know about but t takes a newbie a long time to hear about?

Also, I'm wondering if I should have separate indexes for the servers and the workstations. It's a small shop but that might make sense for one of our larger networks that we implement it on later.

Thanks,

Greg

0 Karma

lukas_loder
Communicator

We aren't working with splunk on our clients..
But one of the best way to make your search very fast are different Indexes. So if you are going to do seperate searches on Clientlogs and Serverlogs, it is of corse a good idea to have two indexes.

There is a Splunk App for Windows with some default dashboards. But we aren't using it. But you can try it

https://splunkbase.splunk.com/app/272/

0 Karma

gph12
Explorer

I installed the Windows_TA app. Very interesting process. Problem is I already had an index called wineventlog which the TA app would normally create. So it doesn't appear that the App has permission to it. I'm getting an error when trying to confirm the searches as described by the Splun Windows Add On guide on page 21. I'm going to post a question about that. Thanks for telling me about these apps. I think they are what we need.

Greg

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...