Getting Data In

Splunk App for Windows Infrastructure default index issue

token2
Path Finder

I have the latest SA-LDAP, Splunk_TA_Windows and Windows Infra apps installed.  I have sourcetype WinHostMon data coming in, but the Infrastructure app guided setup says it is not detected.

I jumped over to one of the infra dashboards and all panels have "No results found" >> Host Monitoring - Operations >> Disk Free Space Distribution and opened that in search.  By simply inputting index=windows the search then works.

Where does the app designate the default index it's searches refer to?

Labels (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @token2,

the easiest way is to do this by gui in [Settings -- Roles -- your_role -- indexes].

If you want to do this in .conf file, open: %SPLYNK_HOME/etc/system/local/authorize.conf and in the stanza of you role add (if there isn't) or modify the option srchIndexesDefault.

Ciao.

Giuseppe

P.S.: if this answer solves your need, please accept it fot the other people of Community or tell me how can I help you more (and Karma Points are apprecited 😉 )

 

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @token2,

at first see if you have logs in the indexes where logs are stored: If you haven't results, there's a problem in log ingestion.

If instead you have results, open a search of one panel in Search, then add index="win*" to the main search and see if you have results: probably the indexes where logs are stored isn't in the default search path.

If this is the problem you have two choices:

  • add those indexes to the default path for the roles you're using,
  • modify all the eventtypes adding the indexes.

First solution is quicher to resolve but I don't like because your searches are slower.

I prefer the second solution even if is longer to implement but is more performant.

Ciao.

Giuseppe

token2
Path Finder

@gcusello I get results if I input index=win* (in this case its index=windows).  

How does one go about changing the default path for the role via .conf files?  I see it in the GUI:

Settings >> Authentication Methods (because using LDAP in this case) >> LDAP Settings >> Map groups >> Edit LDAP group name user is affected by, added "winfra-admin".

Where is this found inside of the Splunk file system?  

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @token2,

the easiest way is to do this by gui in [Settings -- Roles -- your_role -- indexes].

If you want to do this in .conf file, open: %SPLYNK_HOME/etc/system/local/authorize.conf and in the stanza of you role add (if there isn't) or modify the option srchIndexesDefault.

Ciao.

Giuseppe

P.S.: if this answer solves your need, please accept it fot the other people of Community or tell me how can I help you more (and Karma Points are apprecited 😉 )

 

Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...