I have installed the required apps to get Splunk App for Windows Infrastructure to work. I have the inputs.conf configured with the following:
###### OS Logs ######
[WinEventLog://Application]
disabled = 0
index = wineventlog
start_from = oldest
current_only = 0
checkpointInterval = 5
renderXml=true
[WinEventLog://Security]
disabled = 0
index = wineventlog
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
renderXml=true
[WinEventLog://System]
disabled = 0
index = wineventlog
start_from = oldest
current_only = 0
checkpointInterval = 5
renderXml=true
If i search for the index wineventlog i see items that have been indexed from all desktops, but for some reason i cant seem to get the information to show up on the Splunk App for Windows Infrastructure under Windows > Event Monitoring all i get is No Results found....
Any ideas why this would be?
I have tried to run the Build lookups again etc and its the same.
Thanks
Hi @gethersj,
The Splunk App for Windows Infrastructure works using eventtypes that don't contain the index (don't ask me why!).
So if you haven't (and usually this is!) wineventlog index in the default path, the eventtypes don't find anything!
You can follow two approaches:
The first solution is quick and dirty, the second requires more time but it's better because you'll have more performaces in your App searches.
Ciao.
Giuseppe
hi @gcusello
Thanks for your reply.
I have done this and its the same.
Thanks
Hi @gethersj,
usually the problem is default path!
Anyway, open a panel of that dashboard in search and debug it deleting, one by one, from the end, the commands until last pipe "|".
In this way you can understand what is the problem that's blocking your panels.
I don't have at hand this app, could you share the search you're speaking?
Ciao.
Giuseppe
This is the search that it executes:
| inputlookup windows_event_details | table LogName, SourceName, TaskCategory, EventCode | sort LogName, TaskCategory, EventCode
IF i run index="wineventlog" i get thousands of returned values. Just cant see why the Windows App doesnt show the events.
Thanks
Hi @gethersj,
this panel uses a lookup.
At first see, using Lookup Editor, if in this lookup you have values.
To do this, see in the scheduled searches which is the search that put values in this lookup: you can recognize it because at the end you'll find "| outputlookup windows_event_details ".
Then debug this search using the above way.
Ciao.
Giuseppe
Hi @gcusello
I am a little lost now to be honest.
I have gone to Settings > Lookups > Automatic Lookups - take it i should be able to see a lookup called windows_event_details?
I have ran a dashboard that does work and the lookup here looks like this: | inputlookup windows_perfmon_details | eval Perfmon_Counter=counter | eval Perfmon_Counter_Category=object | dedup Perfmon_Counter, instance | table Perfmon_Counter_Category, Perfmon_Counter, instance | sort Perfmon_Counter_Category, Perfmon_Counter, instance
Thanks
Hi @gethersj,
no: automatic lookups is a way to reduce code in your searches because if you have an automatic lookup, you don't need to call a lookup using the lookup command.
Have you installed on your Search Head the Splunk_TA_Windows App?
Because the scheduled search that put values in the lookup uses an Eventtype (wineventlog_windows) defined in this App.
Ciao.
Giuseppe
Yes that app is installed. Very weird this is 😕
Thanks
Hi @gethersj,
the scheduled search that populates the lookup is "WinApp_Lookup_Build_Event - Update - Detail", please try to manually execute it.
if you haven't results, please try this:
eventtype="wineventlog_windows" index=wineventlog
| dedup EventCode, LogName
| fields + LogName, EventCode, SourceName, TaskCategory, Type, EventCodeDescription, Message
| eval EventCodeDescription=if(isnull(EventCodeDescription) OR len(trim(EventCodeDescription))==0 OR EventCode=="No Description Available-Update windows_eventcode_definitions", mvindex(split(Message, "."), 0), EventCodeDescription)
| table LogName, EventCode, SourceName, TaskCategory, Type, EventCodeDescription
| eval _key = LogName . "___" . EventCode . "___" . SourceName . "___" . TaskCategory . "___" . Type . "___" . EventCodeDescription
| outputlookup windows_event_details append=true
if you have now results, the problem is the path I said in my first answer.
If it doesn't run, you have to debut it deleting one by one the rows until last pipe "|".
You have to find which is the row that blocks the results.
Probably the problem is in the dedup command.
If you haven't any result also using only the main search
Ciao.
Giuseppe
Hi @gcusello
I tried executing that manually and i got 0 results.
Entering just eventtype="wineventlog_windows" index=wineventlog i get results.
But anything after the first pipe i get 0 results , so your expectations were correct.
Do you know if there is a workaround for this, or do i need to start from start with it all?
Thanks
Hi @gethersj,
this means that there isn't any extraction for or the field EventCodethe field LogFile, so the results of dedup i zero!
The first is surely present, I'm not sure about the second one.
You can check this, running only the main search
eventtype="wineventlog_windows" index=wineventlog
See if the fields EventCode and LogFile are present.
If one of them (e.g. LogFile) is missing, you have three ways:
One dubt:
are you using the last versions of Splunk_TA_Windows and Splunk App for Windows Infrastructure?
Which is the version of Windows of the target server?
The last versions of Windows changed the logs format, maybe there's a parsing problem.
Ciao.
Giuseppe