All Apps and Add-ons

Why is Search & Reporting not displaying expected sources?

eckdale
Path Finder

Splunk newbie here.

I've installed the Splunk App for Windows Infrastructure to my central instance (indexer + search head) and deployed the following application to my 2008 R2 AD DCs: Splunk_TA_windows, TA-DNSServer-NT6, and TA-DomainController-NT6.

Everything appears to be in order but I am not seeing some expected sources in the index. Specifically if I go to Splunk Search and Reporting > Data Summary, I see:

  • WinEventLog:Application
  • WinEventLog:Security
  • WinEventLog:System
  • Perfmon:Memory
  • Perfmon:LocalNetwork
  • Perfmon:FreeDiskSpace
  • Perfmon:CPUTime
  • some more sources...

However if I enter the following search:

index=winevents source="WinEventLog:DNS Server" 

Results are returned which confuses me because WinEventLog:DNS Server isn't listed as an indexed source.

0 Karma
1 Solution

jbernt_splunk
Splunk Employee
Splunk Employee

Hi there. The reason you're seeing DNS Server, is due to the TA-DNSServer-NT6 addon that is required that you have deployed to your DCs that has specific inputs for DNS Server related eventlogs. Hope this helps.

View solution in original post

0 Karma

eckdale
Path Finder

I found that by simply editing the 'indexes searched by default' of the applicable user role to include the indexes I cared about resolved the issue.

0 Karma

jbernt_splunk
Splunk Employee
Splunk Employee

One reason may be that the index(es) used to house the DNS Server traffic may not be in your default-searched-indexes listing under the User role. Also, if you don't see "WinEventLog:DNS Server", you may see "WinEventLog:DNS-Server" (notice the dash). Searching in data summary for "dns" will reveal a bit more.

0 Karma

jbernt_splunk
Splunk Employee
Splunk Employee

Hi there. The reason you're seeing DNS Server, is due to the TA-DNSServer-NT6 addon that is required that you have deployed to your DCs that has specific inputs for DNS Server related eventlogs. Hope this helps.

0 Karma

eckdale
Path Finder

I think you've found the issue. If I search "index=winevents" I see the 4 unique sources that I thought were missing. If I search "source="WinEventLog:Application" I see the index=main. As a Splunk newbie I find the concept of Search & Report not actually searching all of the indexes strange... or maybe it would be more accurate to say that I find it strange that they Splunk App for Windows Infrastructure is placing Windows Event log data into more than one index.

0 Karma

eckdale
Path Finder

I understand that the TA-DNSServer-NT6 app has specific inputs enabled what I don't understand is why I don't see the 'WinEventLog:DNS Server' as an indexed source unless I explicitly search for it.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...