Getting Data In

Splunk App for Windows Infrastructure default index issue

token2
Path Finder

I have the latest SA-LDAP, Splunk_TA_Windows and Windows Infra apps installed.  I have sourcetype WinHostMon data coming in, but the Infrastructure app guided setup says it is not detected.

I jumped over to one of the infra dashboards and all panels have "No results found" >> Host Monitoring - Operations >> Disk Free Space Distribution and opened that in search.  By simply inputting index=windows the search then works.

Where does the app designate the default index it's searches refer to?

Labels (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @token2,

the easiest way is to do this by gui in [Settings -- Roles -- your_role -- indexes].

If you want to do this in .conf file, open: %SPLYNK_HOME/etc/system/local/authorize.conf and in the stanza of you role add (if there isn't) or modify the option srchIndexesDefault.

Ciao.

Giuseppe

P.S.: if this answer solves your need, please accept it fot the other people of Community or tell me how can I help you more (and Karma Points are apprecited 😉 )

 

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @token2,

at first see if you have logs in the indexes where logs are stored: If you haven't results, there's a problem in log ingestion.

If instead you have results, open a search of one panel in Search, then add index="win*" to the main search and see if you have results: probably the indexes where logs are stored isn't in the default search path.

If this is the problem you have two choices:

  • add those indexes to the default path for the roles you're using,
  • modify all the eventtypes adding the indexes.

First solution is quicher to resolve but I don't like because your searches are slower.

I prefer the second solution even if is longer to implement but is more performant.

Ciao.

Giuseppe

token2
Path Finder

@gcusello I get results if I input index=win* (in this case its index=windows).  

How does one go about changing the default path for the role via .conf files?  I see it in the GUI:

Settings >> Authentication Methods (because using LDAP in this case) >> LDAP Settings >> Map groups >> Edit LDAP group name user is affected by, added "winfra-admin".

Where is this found inside of the Splunk file system?  

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @token2,

the easiest way is to do this by gui in [Settings -- Roles -- your_role -- indexes].

If you want to do this in .conf file, open: %SPLYNK_HOME/etc/system/local/authorize.conf and in the stanza of you role add (if there isn't) or modify the option srchIndexesDefault.

Ciao.

Giuseppe

P.S.: if this answer solves your need, please accept it fot the other people of Community or tell me how can I help you more (and Karma Points are apprecited 😉 )

 

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...