Hello,
I've recently installed the SCCM app and cannot get any of the dashboards to display info. The only data I see is from the 2 out of the box reports. In an attempt to troubleshoot this issue, I ran a query to see what (if anything) was being indexed and while there is a good amount of data, it looks as though all DB Tails being indexed except dbmon-tail://sccm/ta_sccm_malware_dbinput and dbmon-tail://sccm/sccm_installed_software_dbinput. Is there any setting I'm missing? I thought it may be disabled somewhere but can't find anything in the config files.
I vaguely remember a problem when I set this up as well. Check that you have both the sccm and a sccm_status indexes in existence - some inputs go to one, some go to the other and I think one wasn't set up by default.
If you find nothing wrong there, compare your working inputs with the non-working inputs. One that should be working (given what you didn't say above) would be [dbmon-tail://sccm/sccm_status_message_dbinput]
. Double-check that you pasted all of them into dbx/local/inputs.conf, and that they match for everything they should match on and that differences are reasonable.
Have you had any malware incidents since you set this up? Maybe there's just no data yet? (I thought it grabbed history, but if, for instance, you tested the inputs once but something went wrong, you might have to reset the rising column's stored value in Splunk to make it read all the records again).
If those aren't it, check your $splunkhome/var/log/splunk/dbx.log file for more information. That may tell you pretty much exactly what's wrong or at least give you hints as to where to look. If you still can't get it, reply in here with what you've tried as best you can, reporting any errors you found or warnings that seem relevant and we can take a further look.
Good luck, and let us know what you find!
Thanks for the info. I do have the sccm and sccm_status indexes and they are being written to. I also verified the inputs I pasted in the dbx/local/inputs.conf. Then I checked the log and it looks as though there aren't any errors. All the database monitors are executing fine with no failures.
I did notice that by default, the sccm and sccm_status are not being searched when I open the Query String in the panels. I confirmed that in the sccm_user role, both were listed in the Indexes searched by default.
I've never run into this before. I don't think I have anything set to override this setting.
Is the user you are checking with assigned the sccm_user role?
You could try adding searching of those indexes by default to your main user role temporarily just to confirm.
Beyond that - a random panel in my SCCM App (now that I'm back at work) says the root search for it is
tag=malware vendor_product=SystemCenterEndpointProtection action_result=false
So, each of those pieces can be tested in a search -
My guess is one of those isn't set right. Chasing it down can be a bit of work some times, but let us know what you do find.
Ugg, that was one of the missing pieces. It was on a rebuilt system that blew away the sccm_user role. So now I have data in the dashboards, but still missing the sccm:installed_software and eventtype="sccm_change_audit" data. I'll keep digging and let you know what I find. Thank you for your help.
I also do not have any data for installed software.
All other dashboards and search are working. I have confirmed the user role and the two indexes.
I have also double checked db connect for dbmon-tail://sccm/sccm_installed_software_dbinput. Changed that to 5 minutes.But still no information?
Here is what is in the sql query:
with software as (
select
[timestamp],
resourceid,
active=1,
softwarepropertieshash0,
softwarepropertieshashex0,
normalizedname as product_name,
normalizedversion as product_version,
normalizedpublisher as product_publisher,
InstallDate0 as installation_date,
categoryname as category,
familyname as family
from v_gs_installed_software_categorized
UNION ALL
select
s.[timestamp],
s.resourceid,
active=0,
s.softwarepropertieshash0,
s.softwarepropertieshashex0,
coalesce (sl.commonname, s.productname0) as product_name,
coalesce (sl.commonpublisher, s.publisher0) as product_publisher,
coalesce (sl.commonversion, s.productversion0) as product_version,
installdate0 as installation_date,
fam.familyname,
cat.categoryname
from v_hs_installed_software s
left outer join v_lu_softwarehash sh
on sh.softwarepropertieshash = s.softwarepropertieshash0
left outer join v_lu_softwarelist sl
on sl.softwareid = sh.softwareid
inner join v_lu_category as cat
on cat.categoryid = coalesce(sl.categoryid, 4892)
inner join v_lu_family as fam
on fam.familyid = coalesce(sl.familyid, 4891)
where softwarepropertieshash0 is not null)
select *
from software
{{WHERE $rising_column$ > ?}}