Thank you for taking the time to consider my question. I'm trying to visualize the health of several windows & linux systems using IT essentials work, and no matter what I do it seems like I just can't get the data to actually be read by IT essentials Work (ITEW).
For testing purposes, I have only started with Windows machines, since I figured those would be better documented and easier. I have installed the Splunk Add on for Microsoft on both the indexer/search head as well as the client, and added the custom inputs.conf which is linked from Splunk Security Essentials App on monitoring CPU/Memory performance on remote windows systems.
I have installed IT essentials work on my indexer/search head, and it automatically created the "itsi_im_metrics" index, which should collect the data being reported by the foreign host, and then allow ITEW to read it and visualize it, right? When I go into "indexes" on the indexer/search head, it shows that it has thousands of events within that index, and shows it was recently updated as of just a few minutes prior, so the flow it working. However this index doesn't show any events when I search for it in both the normal search & reporting search bar, as well as the ITEW search bar.
It's obviously something stupid that I missed on my end, since I feel like it's missing one small configuration and then it will work fine, but the fact that there's no guides or videos on this practice and just some very generic documentation on ITSI/ITEW is very disappointing.
Thank you in advance for considering and assisting me with this, and I look forward to your responses so I can resolve this issue. Any help that leads to the solution will of course be accepted and rewarded with karma for those who appreciate that.
Can you try installing and configuring the Content Packs for ITSI/ITEW (https://splunkbase.splunk.com/app/5391)? They have multiple content packs which can be helpful for the information you are looking for. Here is the documentation link for an overview of the Content Packs - https://docs.splunk.com/Documentation/ContentPackApp/1.4.0/Overview/Overview
For Windows data, you can configure the "Content Pack for Windows Dashboards and Reports". Installation and configuration guide for the same can be found here - https://docs.splunk.com/Documentation/CPWindowsDash/1.0.0/CP/Install
Hi @tshah-splunk , thanks for your response.
I have since gone in and confirmed app #5341 (content packs) is installed on my SH/indexer, and I have followed the steps outlined in the link you sent, which included creating several indexes, however I still am not getting any results within ITEW.
After running the build_winfra_lookup search found within DA-ITSI-CP-windows-dashboards all the results came back as 201, which I assume is successful.
The one time I got this working before I know it had to do with entity integration, but I don't know if I ran the ps1 script that is located within ITEW app > Configuration > data integrations > Windows infrastructure. Is this required to be able to store and monitor entities within ITEW? Is there any way to do this without running a ps1 script on endpoints that have ps1 scripts disabled?
Many thanks in advance