Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

WindDHCP app returning no result

williamavila12
Explorer
‎07-18-2011 08:35 PM

I have installed the app and faithfully followed the instructions provided but I still see no result when I try to launch the app.

I know that the sourcetype coming from my DHCP server is not the default "DhcpSrvLog" sourcetype (mine is like "DhcpSrvLog-Mon", "DhcpSrvLog-Tue", and so on) so I did the steps for Field Extractions changing the [DhcpSrvLog] stanza to [DhcpSrvLog-Mon] and so on...to no avail.

At the least I'm seeing these DHCP logs when I do a search on the Search app so I'm sure that the logs are coming in alright.

Can someone please point me in the right direction...I have no idea what's amiss. Will really appreciate all your help. Thanks in advance.

0 Karma
Reply

araitz
Splunk Employee
Splunk Employee
‎07-20-2011 08:35 AM

Per this question:

http://splunk-base.splunk.com/answers/27455/logs-being-sent-with-lwf

Please refer to the app documentation:

http://splunk-base.splunk.com/apps/22353/windows-dhcp

Saved Searches

Most of the saved searches and dashboards depend on the macro WinDHCP_event being defined correctly. By default, this event type is defined as "sourcetype=DhcpSrvLog", so if you have performed the initial step of getting the field extractions to work, you should be all set. If you still have problems, please post to answers.splunk.com using the link on this page.

Thus, for in your case, you should change the macro to be sourcetype=DhcpSrvLog-*. You might have to wait 5 or 10 minutes after that for the dashboard's saved searches to work as expected.

0 Karma
Reply

araitz
Splunk Employee
Splunk Employee
‎07-21-2011 10:52 AM

Glad you solved the issue! Please accept the answer.

0 Karma
Reply

williamavila12
Explorer
‎07-20-2011 07:01 PM

Problem solved...

I followed one of the answers here: http://splunk-base.splunk.com/answers/27455/logs-being-sent-with-lwf basically editing .../etc/system/local/inputs.conf and adding these additional directives;

[monitor://C:\Windows\System32\dhcp]
sourcetype = DhcpSrvLog
crcSalt =
alwaysOpenFile = 1
disabled = false
whitelist = Dhcp.+.log

After service restart...it worked! Thanks for all the help!

0 Karma
Reply

williamavila12
Explorer
‎07-19-2011 11:54 PM

Hi araitz,

this was the search string...

search sourcetype=DhcpSrvLog dhcp_message= | replace "windhcp_" with * in dhcp_message | top dhcp_message

so the sourcetype used for this search was still the default and different from the sourcetypes coming from my forwarder - DhcpSrvLog-Mon. Isn't that supposed to be handled by the changes I made in ../local/props.conf?

Thanks

0 Karma
Reply

araitz
Splunk Employee
Splunk Employee
‎07-19-2011 08:31 AM

On one of the dashboards where you are not seeing results displayed, there will be a link next to 'no results found'. When you click on this link, it should show you some information on the search that was run, including the search itself. Can you let me know what the search string is? In particular, does the sourcetype match up with the sourcetype for your DHCP data in Splunk?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...