Splunk Search

I see the wineventlog index growing after universal forwarder installation on Windows, but why are there no Windows events in the Search app Data Summary?

sdorsey15
New Member

Greetings all! I haven't worked with Splunk in about a year so I'm a little rusty.

Anyhow, I have Linux systems logging to Splunk no issue. However, I seem to be running into problem with Windows logs.

I installed a Universal Forwarder on a few systems. I adjusted the inputs.conf under the system/local folder with the below stanza. When I went into search and reporting > data summary, I was not seeing entries there for logs coming from these systems. However, I checked the wineventlog index and it was rapidly growing. Then, I thought maybe it was an index issue, so I created a new index and updated the stanza to point to that instead. Same issue - didn't see timestamp updates under Data Summary but the index was growing. Verified I couldn't search for the logs either.

Ideas? Thanks much in advance!

###### OS Logs ######
[WinEventLog://Application]
disabled = false
start_from = oldest
current_only = 0
index = wineventlog

[WinEventLog://Security]
disabled = false
start_from = oldest
current_only = 0
suppress_text = 1
blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist3 = 5140,5156-5157,4674
index = wineventlog

[WinEventLog://System]
disabled = false
start_from = oldest
current_only = 0
checkpointInterval = 5
index = wineventlog

[WinEventLog://Microsoft-Windows-PowerShell/Operational]
disabled = false
index = wineventlog

[WinEventLog://Windows PowerShell]
checkpointInterval = 5
current_only = 0
disabled = false
start_from = oldest
index = wineventlog
0 Karma

javiergn
SplunkTrust
SplunkTrust

From what you are saying above, searches work fine against default indexes but not against others, so have you tried specifying the index name you are searching against as part of your query?
For instance:

index=wineventlog sourcetype=WinEventLog:* ...

By default Splunk will only search against your default indexes if you don't specify "index=". You can change this in your user profile by the way.

Thanks,
J

stephanefotso
Motivator

Hello! Make this search on the receiver index=_internal and verify the number of hosts that you have, to know if data are comming from the forwarder.

Thanks

0 Karma

sdorsey15
New Member

The events for the affected hosts only populate/rise if I send the logs to the Default index. If I send them to wineventlogs or a custom one, they do not rise and are not searchable despite the Indexes themselves showing increasing events.

0 Karma