Splunk App for Windows infrastructure data not sho...

pmovrich · ‎04-30-2014

Hello

I currently have Splunk app for Windows Infrastructure installed and have a windows 2008 server setup with a universal forwarder with the Splunk_TA_windows add-on installed. I see the windows server logs being indexed on the Splunk 6.0 server. But it's not populating inside the app.

help please.

tprzelom · ‎08-29-2014

You have to go into the XML view for the dashboards and look at what searches are run to populate the dashboard.

They may rely on the sourcetype or index defined in the inputs.conf or something more abstract like an eventtype.

neiljpeterson · ‎05-20-2014

Can you elaborate? I am having a similar problem. The only inputs.conf I edited for the setup was the one for the LDAP app. Is there another one?

pmovrich · ‎05-01-2014

I figured out what i was doing wrong. i some how grabbed the wrong inputs.conf file and edited that one. i found the correct one and the data started to flow into the app.

anyhow thanks for the response.

lguinn2 · ‎04-30-2014

I don't know much about the app, but I would guess that it is expecting the Windows data to be stored in a particular index. (index=os perhaps?)
If the data is stored elsewhere (like index=main for example), you will be able to see the data, but it won't appear in the Windows app dashboards, etc.

Splunk App for Windows infrastructure data not showing in app

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases