All Apps and Add-ons

Is there a props.conf timestamp configuration for the Splunk App for Windows Infrastructure?

daniel333
Builder

All,

We just stood up the Splunk App for Windows Infrastructure yesterday, and since doing so, I am getting alerts about log ingestion time being high for the WindowsUpdateLog. I don't see the normal time look ahead and breakers etc. I am not familiar with Windows+Splunk, so before I go and write out props.conf for this, I just wanted to make sure I am right and this was indeed missing from the app?

When I look props.conf, I don't see any timestamp related settings:

[WindowsUpdateLog]
FIELDALIAS-dest_for_windowsupdatelog = host as dest
REPORT-0signature_message_for_windowsupdatelog = signature_message_for_windowsupdatelog
REPORT-1signature_for_windowsupdatelog = signature_for_windowsupdatelog,signature_for_windowsupdatelog_restartrequired,signature_for_windowsupdatelog_signature_message
REPORT-signature_id_for_windowsupdatelog = signature_id_for_windowsupdatelog
REPORT-pid-tid-component_for_windowsupdatelog = pid-tid-component_for_windowsupdatelog
LOOKUP-status_for_windowsupdatelog = windows_update_status_lookup vendor_status OUTPUTNEW status
LOOKUP-vendor_info_for_windowsupdatelog = windows_vendor_info_lookup sourcetype OUTPUT vendor,product
0 Karma

maciep
Champion

I believe there is an add-on that needs to go on the parsing layer of your env (probably the indexer). There's a chart on this page of the documentation that highlights which app/add-on needs to go where.

http://docs.splunk.com/Documentation/MSApp/1.2.1/MSInfra/HowtodeploytheSplunkAppforWindowsInfrastruc...

0 Karma

daniel333
Builder

So the only index time app there is listed there , does not have much time stamping in their props.conf. Seems I Might need to write this myself unless someone else has written it? Hoping i am wrong, as this sounds like a lot of hours.

Looking at my queues, and WIndows logs are a big offender.
Also have a indexing latency dashboard and Windows logs are dominating the list.

0 Karma

maciep
Champion

so are your timestamps incorrect or just alerting that it's taking a relatively long time to parse them out?

I think this is a splunk-supported app, so if it needs addressed, maybe open a case with them to fix it. That could benefit everyone in the end. Not sure the urgency for you resolving the issue though.

0 Karma

daniel333
Builder

Urgency isn't terrible, but I can see it taking a lot of time in my queues. Worst offenders. I think Ill open a support ticket. Not sure I want to go through and write 40 props.conf for a supported app

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...