Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Windows host and source types not shown in search

thejohn
Path Finder
‎06-19-2015 08:20 AM

I had to reinstall my universal forwarder on windows server and splunk stopped showing new messages. So deleted all messages of this host then I cleaned wineventlog index then reinstalled UF again because I thought that might force it. Now I don't see my server in hosts and all EventLog source types disappeared but when I search "index=wineventlog" I can see all new messages.

How can I re-add the server to hosts and how to old source types?

This is splunk light btw.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

thejohn
Path Finder
‎06-21-2015 07:03 AM

Ok I got it I think.
I copied authorize.conf from /etc/system/default to /etc/system/local on splunk light server and changed this line
srchIndexesDefault = main;os
to
srchIndexesDefault = wineventlog;main;os
for admin user.
After restart everything worked as it should.
I think there might be a bug in Windows Add-On not configuring correctly.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

thejohn
Path Finder
‎06-21-2015 07:03 AM

Ok I got it I think.
I copied authorize.conf from /etc/system/default to /etc/system/local on splunk light server and changed this line
srchIndexesDefault = main;os
to
srchIndexesDefault = wineventlog;main;os
for admin user.
After restart everything worked as it should.
I think there might be a bug in Windows Add-On not configuring correctly.

0 Karma
Reply
Solved! Jump to solution

thejohn
Path Finder
‎06-21-2015 06:26 AM

Ok so I think I know what the problem is. By default splunk searches only main index I think. Windows Add-On uses wineventlog which is not searched. I set it up again so forwarder forwards to main index instead of wineventlog and success, the host and sourcetypes were shown. So now the question is how do I configure splunk light to also search wineventlog index. If you use splunk enterprise I think you just need to set up roles so that it is visible by your user. Don't know how to do this on light yet...

edit:
Also when I configured UF as deployment client I thought it will forward messages on its own, but it turns out you still need to add receiving server.

0 Karma
Reply
Solved! Jump to solution

pierre31
New Member
‎06-19-2015 05:44 PM

I am having the same issue here too... all my linux host are showing. WinSrv 2012 showing but now win7.

0 Karma
Reply
Solved! Jump to solution

thejohn
Path Finder
‎06-19-2015 05:11 PM

I restored splunk to snapshot just after install and repeated the installation of UF multiple times. First I specified only receiving server and again all logs went to wineventlog index but are not shown anywhere. Second I tried configuring UF as deployment client and server does not receive any messages. I am totally lost...

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...