You need to modify the macros.conf in the Splunk App for Windows Infrastructure 1.5.2, to reflect your custom indexes.
definition = index=oswin OR index=oswinsec
definition = index=oswinperf
definition = index=appmsad
definition = index=oswinscript OR index=netipam OR index=appmsadmon
... View more
The problem is the Splunk App for Windows Infrastructure, even on version 1.5.2 does not fully supports the new standards on the Splunk Add-on for Microsoft Windows.
It basically have 2 problems :
1) You can't use XML (which is the default in the TA v6.0)
2) You can't use multikv (which is also the default in the TA v6.0)
So, you need to disable XML (renderXml = false) in all your windows event inputs, as well as disable ** multikv (mode = single)** in the performance ones.
With default configurations, single mode in performance can increase indexed data (so licence use) by almost 5x so, be carefull.
Other option... is you can modify the app, so it takes the data correctly with the new format.
For the performance ones for example is easy to modify... the problem is that there are searches that looks for a "Counter" that does not exist in multikv mode ... but you can fix this just by manually put the values for performance, like :
In the file: /opt/splunk/etc/apps/splunk_app_windows_infrastructure/local/data/ui/views/windows_performance.xml
Search for CPUCounter token, and change the input to :
<input type="dropdown" token="CPUCounter" searchWhenChanged="true">
<choice value="%_Processor_Time">% Processor Time</choice>
<choice value="%_User_Time">% User Time</choice>
<choice value="%_Privileged_Time">% Privileged Time</choice>
<choice value="%_DPC_Time">% DPC Time</choice>
<choice value="%_Interrupt_Time">% Interrupt Time</choice>
This is a reduced example, if you want all the counters, look at your inputs.conf you will have all them in each input, the secret is that you need to put the "_" underscore replacing spaces in the value to make it work, and add the "choice" for this counter.
You can ofcourse make a scheduled search that makes a CSV automatically and then you get the values from there... but I feel it easier this way as it will not consume search.
I am attaching a modified (not all options, just the ones we use now), so you may want to add all the choices, but it works with multikv.
OOPS... I can't attach a file... I need more KARMA to attach files! ... if you provide it, I will attach the file(s) I have.
... View more