Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Windows Events Not showing Up on Indexer

pfabrizi
Path Finder
‎10-02-2017 06:22 AM

A UF was installed on 2 Windows domain Controllers. These are in a different windows forest than my other devices. I had to manually add these to the windows_eventlog class by IP as the DNS name can't be resolved. I now see them sending to the indexer but I can't search any of the events. How can I trouble shoot this?

Thanks!

0 Karma
Reply

gjanders
SplunkTrust
SplunkTrust
‎10-04-2017 05:06 AM

You could read the metrics.log (documentation here) of the universal forwarder, the series= lines should advise which index, sourcetype and source the data was going through the forwarder.
The metrics.log/splunkd.log should confirm that the forwarder is forwarding as expected.

The tstats command might also help here, for example you could do:

| tstats count, max(_indextime) AS mostRecent, max(_time) AS mostRecentParsedTime where index=windows groupby host | eval mostRecent = strftime(mostRecent, "%+"), mostRecentParsedTime = strftime(mostRecentParsedTime, "%+")

You could then narrow down to an index/sourcetype/source or similar and include/exclude hosts until you narrow down to where your hosts are, perhaps they used IP instead of DNS name?
Since tstats queries metadata only it is quite quick to run over larger periods of time, however you can only use the where clause against indexed fields...

Finally, if you can see data leaving the forwarder but you are unsure where it's going run the btool command:

splunk btool outputs list --debug
-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply

davebrooking
Contributor
‎10-02-2017 08:39 AM

Hi

How have you determined that the events are being sent to the indexer?

Could it be that the date format of the events is being misinterpreted and the events indexed today from the Domain Controllers are being indexed with a timestamp of 10 February 2017?

Dave

0 Karma
Reply

pfabrizi
Path Finder
‎10-03-2017 05:42 AM

I will check for that, It appears that I have to use the IP address and I had to manually add them to the server class on my deployment server. If I tried by DNS name the apps for the windows server class was not added, however when I added the IP they got configured. I have not had to do that with any other servers that I am aware of.

0 Karma
Reply
Get Updates on the Splunk Community!

AI for AppInspect

We’re excited to announce two new updates to AppInspect designed to save you time and make the app approval ...

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

As we step into 2026, it’s the perfect moment to reflect on what an extraordinary year 2025 was for the Splunk ...

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Overview Enterprise Security 8.3 introduces a powerful new feature called “Entity Risk Scoring” (ERS) for ...