All Apps and Add-ons

No Network Data in App for Windows Infrastructure

bleinfelder
Path Finder

Hi there,

I installed my brand new splunk 6.0.2 installation in a windows only network. I installed the Add-on (Splunk_TA_windows) on alle forwarders and the new Splunk App for Windows Infrastrcture on the Search Head and the indexer.

First, I had to manually enable all the inputs in etc\apps\Splunk_TA_windows\default\inputs.conf, as the are disabled by default. It would be great, if this would be mentioned somewhere in the docs (or enabled by default).

Now I'm getting lots of events in my indexers, like the following:

04/11/2014 09:45:38.932 +0200
collection=LocalNetwork
object="Network Interface"
counter="Bytes Received/sec"
instance="Intel[R] PRO_1000 MT Network Connection"
Value=773095.12666755717

04/11/2014 09:45:38.932 +0200
collection=LocalNetwork
object="Network Interface"
counter="Bytes Sent/sec"
instance="Intel[R] PRO_1000 MT Network Connection"
Value=462083.13425911259

04/11/2014 09:45:38.932 +0200
collection=LocalNetwork
object="Network Interface"
counter="Bytes Total/sec"

So I guess the events are reported correctly into my indexers.

Unfortunately the Dashboards regarding networking all are empty, eg. the in splunk_app_windows_infrastructure/palette/Windows.NetworkMonitoringOperations/, there's a dashboard "Top Hostnames Inbound Conns". The underlying query for this is

sourcetype=WinNetMon host="*" Direction=inbound earliest=-60m | top limit=10 RemoteHostName

But sourcetype for my collected events is Perfmon:LocalNetwork and I cannot find any Direction attribute at all anywhere.

So - did I install the wrong apps, so event collection and dashboards do not match? Or some configuration issue?

I really liked the dashboards in the Legacy App for windows - perfectly suitable for management prsenetations. It'd be a pitty if Splunk 6 couldn't provide them as well.

Any help appreciated.

Regards,

Bernd

0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

Moin Bernd,

in order to get WinNetMon events you should make sure your Windows TA on the forwarder has an inputs.conf stanza something like this:

[WinNetMon://mynetmon]
addressFamily = ipv4
direction = inbound;outbound
index = winevents
packetType = connect;accept
protocol = udp;tcp

The events you're seeing are from the performance monitor, they won't provide data for your search of sourcetype=WinNetMon. See http://docs.splunk.com/Documentation/Splunk/6.0.3/Admin/inputsconf for reference, search for "winnetmon". I agree the app docs still leave some room for improvement 🙂

View solution in original post

itdepartment
New Member

In addition to setting up your inputs.conf as described by martin and mdonnelly.
I also had to copy palettesearches.conf into my local directory, edit these sections and restart splunk instance.

[NetworkMonitoring.OutboundHosts.Search]
search = index=windows sourcetype=WinNetMon host="$NetworkHost$" Direction=outbound earliest=-60m | top limit=10 RemoteHostName
use_timepicker = 1

[NetworkMonitoring.InboundHosts.Search]
search = index=windows sourcetype=WinNetMon host="$NetworkHost$" Direction=inbound earliest=-60m | top limit=10 RemoteHostName
use_timepicker = 1

[NetworkMonitoring.OutboundProcesses.Search]
search = index=windows sourcetype=WinNetMon host="$NetworkHost$" Direction=outbound earliest=-60m | top limit=10 ProcessName
use_timepicker = 1

[NetworkMonitoring.InboundProcesses.Search]
search = index=windows sourcetype=WinNetMon host="$NetworkHost$" Direction=inbound earliest=-60m | top limit=10 ProcessName
use_timepicker = 1

updating eventtypes.conf like this was not enough or did not work.

[windows_netmon]
search = index=windows sourcetype="WinNetMon"

Our server details.

Splunk Version: 6.2.0
Splunk Build: 237341
Current App: Splunk App for Windows Infrastructure
App Version: 1.0.4
App Build: 234279

0 Karma

mdonnelly_splun
Splunk Employee
Splunk Employee

Unlike the other Win*Mon sources, the WinNetMon needs an explicit "disabled = 0" for activation.

Specifying the index is always good form. The addressFamily, packetType, direction, and protocol all default to maximum values that capture all options, you only need to specify them if you wish to reduce your result set.

The following settings work on Splunk 6.2.x UFs:

[WinNetMon://WinNetMon]
index = windows
disabled=0
#addressFamily = ipv4;ipv6
#packetType = connect;accept
#direction = inbound,outbound
#protocol = udp;tcp

See other options listed in /opt/splunk/etc/system/README/inputs.conf.spec

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Moin Bernd,

in order to get WinNetMon events you should make sure your Windows TA on the forwarder has an inputs.conf stanza something like this:

[WinNetMon://mynetmon]
addressFamily = ipv4
direction = inbound;outbound
index = winevents
packetType = connect;accept
protocol = udp;tcp

The events you're seeing are from the performance monitor, they won't provide data for your search of sourcetype=WinNetMon. See http://docs.splunk.com/Documentation/Splunk/6.0.3/Admin/inputsconf for reference, search for "winnetmon". I agree the app docs still leave some room for improvement 🙂

View solution in original post

Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!