Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk App for Windows Infrastructure default index issue

token2
Path Finder
‎03-11-2021 05:46 PM

I have the latest SA-LDAP, Splunk_TA_Windows and Windows Infra apps installed.  I have sourcetype WinHostMon data coming in, but the Infrastructure app guided setup says it is not detected.

I jumped over to one of the infra dashboards and all panels have "No results found" >> Host Monitoring - Operations >> Disk Free Space Distribution and opened that in search.  By simply inputting index=windows the search then works.

Where does the app designate the default index it's searches refer to?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-12-2021 10:56 PM

Hi @token2,

the easiest way is to do this by gui in [Settings -- Roles -- your_role -- indexes].

If you want to do this in .conf file, open: %SPLYNK_HOME/etc/system/local/authorize.conf and in the stanza of you role add (if there isn't) or modify the option srchIndexesDefault.

Ciao.

Giuseppe

P.S.: if this answer solves your need, please accept it fot the other people of Community or tell me how can I help you more (and Karma Points are apprecited 😉 )

 

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-11-2021 11:44 PM

Hi @token2,

at first see if you have logs in the indexes where logs are stored: If you haven't results, there's a problem in log ingestion.

If instead you have results, open a search of one panel in Search, then add index="win*" to the main search and see if you have results: probably the indexes where logs are stored isn't in the default search path.

If this is the problem you have two choices:

  • add those indexes to the default path for the roles you're using,
  • modify all the eventtypes adding the indexes.

First solution is quicher to resolve but I don't like because your searches are slower.

I prefer the second solution even if is longer to implement but is more performant.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

token2
Path Finder
‎03-12-2021 03:09 PM

@gcusello I get results if I input index=win* (in this case its index=windows).  

How does one go about changing the default path for the role via .conf files?  I see it in the GUI:

Settings >> Authentication Methods (because using LDAP in this case) >> LDAP Settings >> Map groups >> Edit LDAP group name user is affected by, added "winfra-admin".

Where is this found inside of the Splunk file system?  

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-12-2021 10:56 PM

Hi @token2,

the easiest way is to do this by gui in [Settings -- Roles -- your_role -- indexes].

If you want to do this in .conf file, open: %SPLYNK_HOME/etc/system/local/authorize.conf and in the stanza of you role add (if there isn't) or modify the option srchIndexesDefault.

Ciao.

Giuseppe

P.S.: if this answer solves your need, please accept it fot the other people of Community or tell me how can I help you more (and Karma Points are apprecited 😉 )

 

Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...