All Apps and Add-ons

Splunk App for Windows - No Windows Events showing up

gethersj
Loves-to-Learn Lots

I have installed the required apps to get Splunk App for Windows Infrastructure to work. I have the inputs.conf configured with the following: 

###### OS Logs ######
[WinEventLog://Application]
disabled = 0
index = wineventlog
start_from = oldest
current_only = 0
checkpointInterval = 5
renderXml=true

[WinEventLog://Security]
disabled = 0
index = wineventlog
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
renderXml=true

[WinEventLog://System]
disabled = 0
index = wineventlog
start_from = oldest
current_only = 0
checkpointInterval = 5
renderXml=true

 

If i search for the index wineventlog i see items that have been indexed from all desktops, but for some reason i cant seem  to get the information to show up on the Splunk App for Windows Infrastructure under Windows > Event Monitoring all i get is No Results found.... 

 

Any ideas why this would be? 

I have tried to run the Build lookups again etc and its the same. 

Thanks

Labels (4)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @gethersj,

The Splunk App for Windows Infrastructure works using eventtypes that don't contain the index (don't ask me why!).

So if you haven't (and usually this is!) wineventlog index in the default path, the eventtypes don't find anything!

You can follow two approaches:

  • put wineventlog index in the default path [Settings -- Roles -- <your_role> Indexex] for the roles you're using;
  • modify each eventtype of the app adding "index=wineventlog".

The first solution is quick and dirty, the second requires more time but it's better because you'll have more performaces in your App searches.

Ciao.

Giuseppe

0 Karma

gethersj
Loves-to-Learn Lots

hi @gcusello 

Thanks for your reply. 

I have done this and its the same. 

  • put wineventlog index in the default path [Settings -- Roles -- <your_role> Indexex] for the roles you're using;       - Added this and its the same no events showing up still. 

 

  • modify each eventtype of the app adding "index=wineventlog". -- As you can see in my post i have put index on each eventtype i think?

Thanks

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @gethersj,

usually the problem is default path!

Anyway, open a panel of that dashboard in search and debug it deleting, one by one, from the end, the commands until last pipe "|".

In this way you can understand what is the problem that's blocking your panels.

I don't have at hand this app, could you share the search you're speaking?

Ciao.

Giuseppe

0 Karma

gethersj
Loves-to-Learn Lots

This is the search that it executes:

| inputlookup windows_event_details | table LogName, SourceName, TaskCategory, EventCode | sort LogName, TaskCategory, EventCode

 

IF i run index="wineventlog" i get thousands of returned values. Just cant see why the Windows App doesnt show the events. 

Thanks

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @gethersj,

this panel uses a lookup.

At first see, using Lookup Editor, if in this lookup you have values.

  • If yes, check the grants on this lookup.
  • If not (more easy!) you have to understand why this lookup doesn't contain values.

To do this, see in the scheduled searches which is the search that put values in this lookup: you can recognize it because at the end you'll find "| outputlookup windows_event_details ".

Then debug this search using the above way.

Ciao.

Giuseppe

0 Karma

gethersj
Loves-to-Learn Lots

Hi @gcusello 

I am a little lost now to be honest. 

I have gone to Settings > Lookups > Automatic Lookups  - take it i should be able to see  a lookup called windows_event_details? 

 

I have ran a dashboard that does work and the lookup here looks like this: | inputlookup windows_perfmon_details | eval Perfmon_Counter=counter | eval Perfmon_Counter_Category=object | dedup Perfmon_Counter, instance | table Perfmon_Counter_Category, Perfmon_Counter, instance | sort Perfmon_Counter_Category, Perfmon_Counter, instance

 

Thanks

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @gethersj,

no: automatic lookups is a way to reduce code in your searches because if you have an automatic lookup, you don't need to call a lookup using the lookup command.

Have you installed on your Search Head the Splunk_TA_Windows App?

Because the scheduled search that put values in the lookup uses an Eventtype (wineventlog_windows) defined in this App.

Ciao.

Giuseppe

 

0 Karma

gethersj
Loves-to-Learn Lots

Yes that app is installed. Very weird this is 😕 

 

Thanks

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @gethersj,

the scheduled search that populates the lookup is "WinApp_Lookup_Build_Event - Update - Detail", please try to manually execute it.

if you haven't results, please try this:

eventtype="wineventlog_windows" index=wineventlog
| dedup EventCode, LogName
| fields + LogName, EventCode, SourceName, TaskCategory, Type, EventCodeDescription, Message
| eval EventCodeDescription=if(isnull(EventCodeDescription) OR len(trim(EventCodeDescription))==0 OR EventCode=="No Description Available-Update windows_eventcode_definitions", mvindex(split(Message, "."), 0), EventCodeDescription)
| table LogName, EventCode, SourceName, TaskCategory, Type, EventCodeDescription
| eval _key = LogName . "___" . EventCode . "___" . SourceName . "___" . TaskCategory . "___" . Type . "___" . EventCodeDescription
| outputlookup windows_event_details append=true

if you have now results, the problem is the path I said in my first answer.

If it doesn't run, you have to debut it deleting one by one the rows until last pipe "|".

You have to find which is the row that blocks the results.

Probably the problem is in the dedup command.

If you haven't any result also using only the main search

Ciao.

Giuseppe

0 Karma

gethersj
Loves-to-Learn Lots

Hi @gcusello 

I tried executing that manually and i got 0 results. 

Entering just eventtype="wineventlog_windows" index=wineventlog i get results. 

But anything after the first pipe i get 0 results , so your expectations were correct. 

 

Do you know if there is a workaround for this, or do i need to start from start with it all?

Thanks

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @gethersj,

this means that there isn't any extraction for or the field EventCodethe field LogFile, so the results of dedup i zero!

The first is surely present, I'm not sure about the second one.

You can check this, running only the main search

eventtype="wineventlog_windows" index=wineventlog

See if the fields EventCode and LogFile are present.

If one of them (e.g. LogFile) is missing, you have three ways:

  • seeing what happens removing the second field in dedup,
  • search in the main search if there's another field with the content of LogFile, maybe is only written in a different way,
  • try to extract by yourself the LogFile field.

One dubt:

are you using the last versions of Splunk_TA_Windows and Splunk App for Windows Infrastructure?

Which is the version of Windows of the target server?

The last versions of Windows changed the logs format, maybe there's a parsing problem. 

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...