Getting Data In

Windows host and source types not shown in search

thejohn
Path Finder

I had to reinstall my universal forwarder on windows server and splunk stopped showing new messages. So deleted all messages of this host then I cleaned wineventlog index then reinstalled UF again because I thought that might force it. Now I don't see my server in hosts and all EventLog source types disappeared but when I search "index=wineventlog" I can see all new messages.

How can I re-add the server to hosts and how to old source types?

This is splunk light btw.

0 Karma
1 Solution

thejohn
Path Finder

Ok I got it I think.
I copied authorize.conf from /etc/system/default to /etc/system/local on splunk light server and changed this line
srchIndexesDefault = main;os
to
srchIndexesDefault = wineventlog;main;os
for admin user.
After restart everything worked as it should.
I think there might be a bug in Windows Add-On not configuring correctly.

View solution in original post

0 Karma

thejohn
Path Finder

Ok I got it I think.
I copied authorize.conf from /etc/system/default to /etc/system/local on splunk light server and changed this line
srchIndexesDefault = main;os
to
srchIndexesDefault = wineventlog;main;os
for admin user.
After restart everything worked as it should.
I think there might be a bug in Windows Add-On not configuring correctly.

0 Karma

thejohn
Path Finder

Ok so I think I know what the problem is. By default splunk searches only main index I think. Windows Add-On uses wineventlog which is not searched. I set it up again so forwarder forwards to main index instead of wineventlog and success, the host and sourcetypes were shown. So now the question is how do I configure splunk light to also search wineventlog index. If you use splunk enterprise I think you just need to set up roles so that it is visible by your user. Don't know how to do this on light yet...

edit:
Also when I configured UF as deployment client I thought it will forward messages on its own, but it turns out you still need to add receiving server.

0 Karma

pierre31
New Member

I am having the same issue here too... all my linux host are showing. WinSrv 2012 showing but now win7.

0 Karma

thejohn
Path Finder

I restored splunk to snapshot just after install and repeated the installation of UF multiple times. First I specified only receiving server and again all logs went to wineventlog index but are not shown anywhere. Second I tried configuring UF as deployment client and server does not receive any messages. I am totally lost...

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...