Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Windows host and source types not shown in search

thejohn
Path Finder
‎06-19-2015 08:20 AM

I had to reinstall my universal forwarder on windows server and splunk stopped showing new messages. So deleted all messages of this host then I cleaned wineventlog index then reinstalled UF again because I thought that might force it. Now I don't see my server in hosts and all EventLog source types disappeared but when I search "index=wineventlog" I can see all new messages.

How can I re-add the server to hosts and how to old source types?

This is splunk light btw.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

thejohn
Path Finder
‎06-21-2015 07:03 AM

Ok I got it I think.
I copied authorize.conf from /etc/system/default to /etc/system/local on splunk light server and changed this line
srchIndexesDefault = main;os
to
srchIndexesDefault = wineventlog;main;os
for admin user.
After restart everything worked as it should.
I think there might be a bug in Windows Add-On not configuring correctly.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

thejohn
Path Finder
‎06-21-2015 07:03 AM

Ok I got it I think.
I copied authorize.conf from /etc/system/default to /etc/system/local on splunk light server and changed this line
srchIndexesDefault = main;os
to
srchIndexesDefault = wineventlog;main;os
for admin user.
After restart everything worked as it should.
I think there might be a bug in Windows Add-On not configuring correctly.

0 Karma
Reply
Solved! Jump to solution

thejohn
Path Finder
‎06-21-2015 06:26 AM

Ok so I think I know what the problem is. By default splunk searches only main index I think. Windows Add-On uses wineventlog which is not searched. I set it up again so forwarder forwards to main index instead of wineventlog and success, the host and sourcetypes were shown. So now the question is how do I configure splunk light to also search wineventlog index. If you use splunk enterprise I think you just need to set up roles so that it is visible by your user. Don't know how to do this on light yet...

edit:
Also when I configured UF as deployment client I thought it will forward messages on its own, but it turns out you still need to add receiving server.

0 Karma
Reply
Solved! Jump to solution

pierre31
New Member
‎06-19-2015 05:44 PM

I am having the same issue here too... all my linux host are showing. WinSrv 2012 showing but now win7.

0 Karma
Reply
Solved! Jump to solution

thejohn
Path Finder
‎06-19-2015 05:11 PM

I restored splunk to snapshot just after install and repeated the installation of UF multiple times. First I specified only receiving server and again all logs went to wineventlog index but are not shown anywhere. Second I tried configuring UF as deployment client and server does not receive any messages. I am totally lost...

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...