Getting Data In

Windows host and source types not shown in search

Path Finder

I had to reinstall my universal forwarder on windows server and splunk stopped showing new messages. So deleted all messages of this host then I cleaned wineventlog index then reinstalled UF again because I thought that might force it. Now I don't see my server in hosts and all EventLog source types disappeared but when I search "index=wineventlog" I can see all new messages.

How can I re-add the server to hosts and how to old source types?

This is splunk light btw.

0 Karma
1 Solution

Path Finder

Ok I got it I think.
I copied authorize.conf from /etc/system/default to /etc/system/local on splunk light server and changed this line
srchIndexesDefault = main;os
to
srchIndexesDefault = wineventlog;main;os
for admin user.
After restart everything worked as it should.
I think there might be a bug in Windows Add-On not configuring correctly.

View solution in original post

0 Karma

Path Finder

Ok I got it I think.
I copied authorize.conf from /etc/system/default to /etc/system/local on splunk light server and changed this line
srchIndexesDefault = main;os
to
srchIndexesDefault = wineventlog;main;os
for admin user.
After restart everything worked as it should.
I think there might be a bug in Windows Add-On not configuring correctly.

View solution in original post

0 Karma

Path Finder

Ok so I think I know what the problem is. By default splunk searches only main index I think. Windows Add-On uses wineventlog which is not searched. I set it up again so forwarder forwards to main index instead of wineventlog and success, the host and sourcetypes were shown. So now the question is how do I configure splunk light to also search wineventlog index. If you use splunk enterprise I think you just need to set up roles so that it is visible by your user. Don't know how to do this on light yet...

edit:
Also when I configured UF as deployment client I thought it will forward messages on its own, but it turns out you still need to add receiving server.

0 Karma

New Member

I am having the same issue here too... all my linux host are showing. WinSrv 2012 showing but now win7.

0 Karma

Path Finder

I restored splunk to snapshot just after install and repeated the installation of UF multiple times. First I specified only receiving server and again all logs went to wineventlog index but are not shown anywhere. Second I tried configuring UF as deployment client and server does not receive any messages. I am totally lost...

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!