Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk App for Windows Infrastructure default index issue

token2
Path Finder
‎03-11-2021 05:46 PM

I have the latest SA-LDAP, Splunk_TA_Windows and Windows Infra apps installed.  I have sourcetype WinHostMon data coming in, but the Infrastructure app guided setup says it is not detected.

I jumped over to one of the infra dashboards and all panels have "No results found" >> Host Monitoring - Operations >> Disk Free Space Distribution and opened that in search.  By simply inputting index=windows the search then works.

Where does the app designate the default index it's searches refer to?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-12-2021 10:56 PM

Hi @token2,

the easiest way is to do this by gui in [Settings -- Roles -- your_role -- indexes].

If you want to do this in .conf file, open: %SPLYNK_HOME/etc/system/local/authorize.conf and in the stanza of you role add (if there isn't) or modify the option srchIndexesDefault.

Ciao.

Giuseppe

P.S.: if this answer solves your need, please accept it fot the other people of Community or tell me how can I help you more (and Karma Points are apprecited 😉 )

 

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-11-2021 11:44 PM

Hi @token2,

at first see if you have logs in the indexes where logs are stored: If you haven't results, there's a problem in log ingestion.

If instead you have results, open a search of one panel in Search, then add index="win*" to the main search and see if you have results: probably the indexes where logs are stored isn't in the default search path.

If this is the problem you have two choices:

  • add those indexes to the default path for the roles you're using,
  • modify all the eventtypes adding the indexes.

First solution is quicher to resolve but I don't like because your searches are slower.

I prefer the second solution even if is longer to implement but is more performant.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

token2
Path Finder
‎03-12-2021 03:09 PM

@gcusello I get results if I input index=win* (in this case its index=windows).  

How does one go about changing the default path for the role via .conf files?  I see it in the GUI:

Settings >> Authentication Methods (because using LDAP in this case) >> LDAP Settings >> Map groups >> Edit LDAP group name user is affected by, added "winfra-admin".

Where is this found inside of the Splunk file system?  

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-12-2021 10:56 PM

Hi @token2,

the easiest way is to do this by gui in [Settings -- Roles -- your_role -- indexes].

If you want to do this in .conf file, open: %SPLYNK_HOME/etc/system/local/authorize.conf and in the stanza of you role add (if there isn't) or modify the option srchIndexesDefault.

Ciao.

Giuseppe

P.S.: if this answer solves your need, please accept it fot the other people of Community or tell me how can I help you more (and Karma Points are apprecited 😉 )

 

Reply
Get Updates on the Splunk Community!

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2025 SplunkTrust is officially open! If you ...

Splunk Answers Content Calendar, June Edition II

Get ready to dive into Splunk Dashboard panels this week! We'll be tackling common questions around ...

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...
Top