All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is Search & Reporting not displaying expected sources?

eckdale
Path Finder
‎05-29-2014 12:45 PM

Splunk newbie here.

I've installed the Splunk App for Windows Infrastructure to my central instance (indexer + search head) and deployed the following application to my 2008 R2 AD DCs: Splunk_TA_windows, TA-DNSServer-NT6, and TA-DomainController-NT6.

Everything appears to be in order but I am not seeing some expected sources in the index. Specifically if I go to Splunk Search and Reporting > Data Summary, I see:

  • WinEventLog:Application
  • WinEventLog:Security
  • WinEventLog:System
  • Perfmon:Memory
  • Perfmon:LocalNetwork
  • Perfmon:FreeDiskSpace
  • Perfmon:CPUTime
  • some more sources...

However if I enter the following search: 

index=winevents source="WinEventLog:DNS Server"

Results are returned which confuses me because WinEventLog:DNS Server isn't listed as an indexed source.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jbernt_splunk
Splunk Employee
Splunk Employee
‎05-29-2014 12:49 PM

Hi there. The reason you're seeing DNS Server, is due to the TA-DNSServer-NT6 addon that is required that you have deployed to your DCs that has specific inputs for DNS Server related eventlogs. Hope this helps.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

eckdale
Path Finder
‎05-29-2014 03:29 PM

I found that by simply editing the 'indexes searched by default' of the applicable user role to include the indexes I cared about resolved the issue.

0 Karma
Reply
Solved! Jump to solution

jbernt_splunk
Splunk Employee
Splunk Employee
‎05-29-2014 01:09 PM

One reason may be that the index(es) used to house the DNS Server traffic may not be in your default-searched-indexes listing under the User role. Also, if you don't see "WinEventLog:DNS Server", you may see "WinEventLog:DNS-Server" (notice the dash). Searching in data summary for "dns" will reveal a bit more.

0 Karma
Reply
Solved! Jump to solution
Solution

jbernt_splunk
Splunk Employee
Splunk Employee
‎05-29-2014 12:49 PM

Hi there. The reason you're seeing DNS Server, is due to the TA-DNSServer-NT6 addon that is required that you have deployed to your DCs that has specific inputs for DNS Server related eventlogs. Hope this helps.

0 Karma
Reply
Solved! Jump to solution

eckdale
Path Finder
‎05-29-2014 01:23 PM

I think you've found the issue. If I search "index=winevents" I see the 4 unique sources that I thought were missing. If I search "source="WinEventLog:Application" I see the index=main. As a Splunk newbie I find the concept of Search & Report not actually searching all of the indexes strange... or maybe it would be more accurate to say that I find it strange that they Splunk App for Windows Infrastructure is placing Windows Event log data into more than one index.

0 Karma
Reply
Solved! Jump to solution

eckdale
Path Finder
‎05-29-2014 01:02 PM

I understand that the TA-DNSServer-NT6 app has specific inputs enabled what I don't understand is why I don't see the 'WinEventLog:DNS Server' as an indexed source unless I explicitly search for it.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...