Getting Data In

Changing Index for ActiveDirectory Sourcetype within Splunk_TA_windows

Jarohnimo
Builder

Hello All,

I'm using the Splunk_TA_windows app from Splunk to understand windows data. I've modified the app to pour data into the indexes of my choice and everything works fine (I've deployed the Splunk_TA_Windows to all the windows nodes and they are pouring data back as I've specified With the exception of one sourcetype.

Sourcetype = ActiveDirectory

This sourcetype pours it's data into the "main" index. I desire all of ActiveDirectory info to be poured into index = a

As a test to determine how the data was being poured in, i temporarily disabled the Splunk_TA_windows app from it's server class. All of the "ActiveDirectory" info stopped being poured in as the Windows deployment app was dsiabled. Once I turned the app back on all the data began to pour back in (to the main index).

I also noticed under "All Configurations" that the Sourcetype ActiveDirectory had 3 entries all showed the config type was props-extract

I then Navigated over to $SPLUNK_HOME/etc/system/local/ to see if there was an entry made there that would cause this and I see nothing. I tried to create and entry and specify the index = a but it had no affect.

It appears that whatever is causing the sourcetype = ActiveDirectory to pour it's data into main is directly tied o the Splunk_TA_windows app. I cannot locate where or how to modify it so that the Active Directory info goes to the index of my choosing. Thank you for your assistance.

0 Karma
1 Solution

micahkemp
Champion

The admon input included in the TA doesn't list a sourcetype in its default inputs.conf (it's set in code somewhere), so it may not stand out when looking for it, but you can see your admon inputs thusly:

[splunk@indexer ~]$ ./bin/splunk btool inputs list admon
[admon://default]
disabled = 1
host = indexer
index = default
monitorSubtree = 1

This is what is in the default input listing in the TA:

[admon://default]
disabled = 1
monitorSubtree = 1

Wherever you have enabled admon://default is where you should add index = <new index>.

View solution in original post

0 Karma

gnoellbn
Explorer

When this sort of thing happens on our environment I use the btool feature to make sure the config loaded corresponds to what I am expecting.

./splunk cmd btool inputs list

You can add "--debug" at the end of the command to see what config file causes what

./splunk cmd btool inputs list --debug

Write it to a file and start digging for the sourcetype you are looking for 🙂

Ref: https://docs.splunk.com/Documentation/Splunk/7.0.1/Troubleshooting/Usebtooltotroubleshootconfigurati...

0 Karma

micahkemp
Champion

The admon input included in the TA doesn't list a sourcetype in its default inputs.conf (it's set in code somewhere), so it may not stand out when looking for it, but you can see your admon inputs thusly:

[splunk@indexer ~]$ ./bin/splunk btool inputs list admon
[admon://default]
disabled = 1
host = indexer
index = default
monitorSubtree = 1

This is what is in the default input listing in the TA:

[admon://default]
disabled = 1
monitorSubtree = 1

Wherever you have enabled admon://default is where you should add index = <new index>.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...