Getting Data In

TA_Windows inputs configuration via GUI

corti77
Communicator

Hi,

I am deploying from Splunk 8.1.4 from scratch in our lab and I am finding some difficulties to understand how the data inputs included in the TA are supposed to be managed.

Following the official instructions I configured the input.conf and props.conf in /local ,  enabling two stanzas pointing to a test index.

[WinEventLog://Application]
[WinEventLog://Security]

How can I find the new inputs in the GUI? I dont really understand how the TA binds with the UI. I dont see any new input in the local inputs. is this normal? 

Also,I read that the index configuration were removed from the add-on and they need to be configured manually. I dont see any recommendation about which index names to use. does not really matter? I can imaging that Windows Apps might expect specific index names to work properly.

sorry for the basic questions, I couldnt find the answer myself digging in the documentation.

many thanks.

 

 

Thanks.

Labels (2)
0 Karma

venkatasri
SplunkTrust
SplunkTrust

Hi @corti77 

The UI that you  see might be a default one come along with Splunk windows version you can go ahead and configure it, it collects the events from the host where your splunk is running.

Regarding index you can configure in search app or you can create your own app doesn't matter for CIM. As CIM mappings been done  at sourcetype/source level they don't work by indexes.

---

An upvote would be appreciated and Accept solution if this reply helps!

0 Karma

venkatasri
SplunkTrust
SplunkTrust

Hi @corti77 

Windows TA can be installed on UF,  HF and Standalone splunk installation etc if the OS is Windows. General use case is to install on client host from where eventlogs to be captured, typically on UF.

Some version of UF while installation in GUI model it prompts to configure event logs this is nothing to do with TA it's part of UF installation. There is no UI for TA can be downloaded from here - https://splunkbase.splunk.com/app/742/#/details , before installation of TA verify under etc/apps it might already be installed by default with UF if not you can do so.

You can go TA default/ dir and find inputs conf where you have the inputs conf already exist mostly in disabled state. Splunk recommend do not change default/ dir so copy the inputs conf to local/ (create it if not exist same level as default) dir under  and enable them, change the index that you wish to i guess leaving it  by default logs goes to main index. Restart UF to get the collection started assuming you have outputs conf configured and connected.

You can read more here -https://docs.splunk.com/Documentation/WindowsAddOn/8.1.2/User/Configuration

---

An upvote would be appreciated and Accept solution if this reply helps!

0 Karma

corti77
Communicator

Thanks a lot for the answer.

I understand the part related to the universal forwarder, I configured like that and the data is flowing into splunk.

My question was referring to the splunk server itself, on which I do have a web interface to interact with the inputs.  I also installed the TA_windows in the splunk server itself, can I enable the inputs included in the addon  using the UI? I dont see any mention to the addon TA_Windows in the Settings-->Data --> Data inputs --> Local inputs.

Also, I know that I need to include the target index for each stanza of the file inputs.conf (local folder). My question was about the name of the indexes themselves. If there are some specific names I should use (thinking about CIM) so additional future Apps dont get broken and they can show results in their queries and dashboards. For example I am thinking about the Microsoft Infrastructure App .

I also read that the creation of the indexes were removed from the add-ons, so they dont become dependent on them, and now they must be created manually. My last question is, should I create them all in the search app? 

Many thanks once more.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...