Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Windows Events Not showing Up on Indexer

pfabrizi
Path Finder
‎10-02-2017 06:22 AM

A UF was installed on 2 Windows domain Controllers. These are in a different windows forest than my other devices. I had to manually add these to the windows_eventlog class by IP as the DNS name can't be resolved. I now see them sending to the indexer but I can't search any of the events. How can I trouble shoot this?

Thanks!

0 Karma
Reply

gjanders
SplunkTrust
SplunkTrust
‎10-04-2017 05:06 AM

You could read the metrics.log (documentation here) of the universal forwarder, the series= lines should advise which index, sourcetype and source the data was going through the forwarder.
The metrics.log/splunkd.log should confirm that the forwarder is forwarding as expected.

The tstats command might also help here, for example you could do:

| tstats count, max(_indextime) AS mostRecent, max(_time) AS mostRecentParsedTime where index=windows groupby host | eval mostRecent = strftime(mostRecent, "%+"), mostRecentParsedTime = strftime(mostRecentParsedTime, "%+")

You could then narrow down to an index/sourcetype/source or similar and include/exclude hosts until you narrow down to where your hosts are, perhaps they used IP instead of DNS name?
Since tstats queries metadata only it is quite quick to run over larger periods of time, however you can only use the where clause against indexed fields...

Finally, if you can see data leaving the forwarder but you are unsure where it's going run the btool command:

splunk btool outputs list --debug
-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply

davebrooking
Contributor
‎10-02-2017 08:39 AM

Hi

How have you determined that the events are being sent to the indexer?

Could it be that the date format of the events is being misinterpreted and the events indexed today from the Domain Controllers are being indexed with a timestamp of 10 February 2017?

Dave

0 Karma
Reply

pfabrizi
Path Finder
‎10-03-2017 05:42 AM

I will check for that, It appears that I have to use the IP address and I had to manually add them to the server class on my deployment server. If I tried by DNS name the apps for the windows server class was not added, however when I added the IP they got configured. I have not had to do that with any other servers that I am aware of.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
Top