I'm a little confused about the Splunk for Windows Infrastucture app. This seems to be the Splunk 6.x replacement for the older "Splunk for Windows". (I'm running Splunk 6.2.x).
I wanted to use this app to look at OS data, but I don't/won't have access to DNS or Active Directory data (i.e. we have no privileges for either of those technologies in my organization). The docs make it seem like this is really mandatory.
I'm running Splunk 6, so it doesn't seem like I could go back to the "Splunk for Windows 5.x" app either. I'm confused -- what if I only want to know local server (CPU, memory, process, service, event logs, etc) and want that wrapped in a nice dashboard that I don't have to write from scratch?
Thanks
I don't see anything in the "Splunk for Windows Infrastucture app" documentation saying DNS or Active Directory (AD) data is mandatory.
I was able to install the "Splunk Add-on for Microsoft Windows" on a windows server acting as a forwarder, and then install "Splunk App for Windows Infrastructure" on a Linux search head (all systems only using IP addresses w/no AD).
When installing the "Splunk for Windows Infrastucture app" on the search head, there is a guided setup where you may need to check the "Bypass-Prerequite checks" since you don't have AD data, but you can still go through this useful wizard to detect what data is coming.
Once the app is configured and you are in it, I thought the Event Monitoring and Performance Monitoring selections under the Windows drop down were particularly useful.
The app does require access to the perfmon, windows, and wineventlog indexes which need to be created for the add-on. This means, under settings > access controls > roles, these indexes need to be added under "Indexes searched by default", and the user needs to log out and log back in.
I guess I'm a lot confused then :-). While we do use AD (and DNS), it's not a system that my team has rights to interface with other than as mere users.
We run pooled search heads (yes, deprecated, but not able to get off of it that quickly) on Linux. Definitely have Windows data from UF's going to Linux indexers. When I put Splunk for Windows Infrastructure 1.1.3 on the Linux search heads, restart, then try to go into the app, I never get any first time setup page. I've wiped it out and restarted and untar'd it back into the search dir several times and get the same result. When I enter the app, I get the Splunk logo in the upper left, a gray navigation bar with no graphics on it (certainly not the progress bar indicated in the docs) a header that says "Additional Resources" and then 2 links below that for "Documentation" and "Learn more about building custom app dashboards". So the only functional parts of that page are things that go right to Splunk's documentation.
It's probably just me, but I find the documentation for this app rather confusing, but I think because nothing clearly indicated the AD and DNS components were optional, that the lack of those components were why I didn't get anything beyond the simple non-functional page I mentioned above. When I re-read the docs, they seemed to say that I have to install the Splunk add-on for Windows on the search head which makes no sense unless you're search head is Windows (docs don't say that). I tried adding the Splunk_TA_windows anyway and got loads of errors at startup and no difference when entering the Splunk app for Windows Infrastructure.
Something's just not working right with this app and I don't know what/why.
Thanks
@mfrost8 - The "Splunk for Windows Infrastucture app" documentation seems to assume the entire environment (SH, IDX, and UVF) is running on windows, so that's why it says put the Add-on everywhere. I also see it does not show the AD components are optional, but I don't see any dependance on this, so don't think they are required.
I have a Linux SH and IDX, so I did not install the windows add-on there, only on the windows forwarder, and the Infrastucture app on the SH. So no, I don't think you need it anywhere but your windows forwarders! I also don't have AD or DNS components installed.
The App loads fine for me on the linux SH, but it's missing the AD info, which is expected. No weirdness with the interface like you described. It should just open right up to the guided setup.
I think you have something else going on with the install of the infrastructure app on your SH, and it's not related to the AD/DNS components not being installed.
Perhaps the issue is related to your pooled search heads, and how the app is configured? Could you try deploying the app on just one of your search heads locally to see if that makes a difference? Seems unlikely but maybe worth a try?
Another possibility is this is a browser related issue? Could you try different web browsers?
You could also look at the logs on your SH to see if you notice anything pertinent when reproducing the behavior.
Huh. I turned off search head pooling and reinstalled the app in $SPLUNK_HOME/etc/apps.
I then tried hitting the app from the apps pull-down menu (assuming I'd get the first-time setup page).
Using my default browser, Chrome 43, I get that same page with nothing but the 2 links on it. Using IE11, same thing.
But when I tried this with Firefox 31, I got the first-time setup stuff and was able to "bypass checks" along the way and complete the first time setup.
Oddly, even after I completed the first-time setup, IE11 and Chrome 43 both still gave me the same not-useful page with the 2 links on it. I've even tried going to Settings->User interface to open the views directly in chrome and IE and I still get the "2 links" page only.
Also interesting is that if I do "View Source" in Chrome, I certainly see sections that seem to correspond to what I see displayed in Firefox, it just doesn't render it in Chrome or IE11.
Any Javascript errors on IE11 or Chome? Perhaps check F12 in IE to debug....Also maybe try clearing browser cache & cookies? I tested my instance against IE 11 and Chrome... no problems getting to first time setup.
I cleared my cache in IE11 and get the same result. Hit F12 in IE -- doesn't show any javascript errors. I am not familiar with debugging via F12 so I'm not quite sure what to do there.
I asked some other people to try this via their browsers. So far only one has replied, but he gets the exact same results in Chrome (he has IE8 which isn't supported at all with Splunk 6.2).
Perhaps there is some other corporate software like an AV extension (or other browser extension/plugin) on the IE/Chrome browser that is blocking the loading of the page? Or maybe there are some kind of javascript/security restrictions on these browsers.
The fact that it works for you on Firefox indicates it is likely browser related. I can also confirm it works for me in IE and Chrome.
There is some info on the web regarding diagnosing Javascript. This site might be useful:
https://codex.wordpress.org/Using_Your_Browser_to_Diagnose_JavaScript_Errors
I had been trying this on Windows where there's definitely a suite of security apps running. I tried it on my linux workstation where there are no such restrictions and see the same pattern: Firefox works fine, Chrome does not.
I don't know what I was looking at before when hitting F12, but when I look at it now under Chrome or IE11 on any OS, I'm seeing
Refused to execute script from 'https://:8000/dj/static/js/build/splunkjs.min/config.js' because its MIME type ('text/x-js') is not executable, and strict MIME type checking is enabled.
So apparently, the following is in the HTTP header
X-Content-Type-Options: nosniff
which causes Chrome and IE11 to generate this. Presumably because Splunk hasn't set the type for javascript properly on this page. (Shouldn't it be "application/javascript"?).
The search heads are running SuSE and I have seen and applied http://docs.splunk.com/Documentation/Splunk/6.2.3/Troubleshooting/SuSeLinuxerror even though it's not really this MIME type.
I guess what really surprises me is that Firefox works -- that it does not seem to enforce this as well.
Splunk Add-on for Microsoft Windows is old App that only work for 5.x version.
This was replaced by "Splunk Add-on for Microsoft Windows" , which gather most of windows specific data.
To display this and other addition data App "Splunk App for Windows Infrastructure" is provided by Splunk.
Now if you don't want to use windows Infr app, you could just install "Splunk Add-on for Microsoft Windows" and get required data and create your own Dashboard and views.
Thanks. I'm aware of that. My problem is that I'm trying to use the Splunk app for Windows Infrastructure, but it seems to require that I tie it into AD and DNS. I do not have access to AD or DNS nor am I likely to. From the docs, it seems like it is then impossible to complete setup of this app and thus to use it if I don't have that AD access.
@mfrost8 - See my comment below...