Hello, unfortunately the Windows Infrastructure app v1.0.4 does not work with SHP/SHC at this time due to some issues with replication between search heads and shared storage. Look for an update soon to address this!
... View more
Inside the Splunk App for Windows Infrastructure, there is a TA for TA-DNSServer-NT6 that should be used. It's for NT6 and above (including Windows Server 2012 R2.
Thanks,
Jeff.
... View more
We may add additional functionality in the future, but this was a not a feature we could get in for the triage bar. Please do make the request using official channels so our team in charge of the app can see that it's an important feature request. 🙂
... View more
Hi there,
The build in dashboards in the Windows Infrastructure app are not meant to be edited. You may clone the dashboards and use those to make edits if/when necessary, but the built in ones should stay static. Also, these are not Splunk dashboards, but Windows Infrastructure dashboards which are specific to the app. Hope this helps.
... View more
Hi there. If you would, WinPrintMon should show as a Warning only, not an error. The key errors that are preventing you from moving on should be listed in addition to this WinPrintMon warning in the same section for the item that is not found.
... View more
Adding the user to "winfra-admin" would be a better choice, since that is the role designed for the Windows Infrastructure app. 😉
Then alter the winfra-admin role to have the windowze index searched by default. That is why we designed our app this way, easier to use alternatively named indexes. Winfra-admin inherits from windows-admin, but as long as one of the two roles is used to search the other index by default, you should be good.
... View more
Splunk 6.2.0 64bit? which package did you use to install? This will help us isolate the issue. Fresh install of the Windows Infrastructure 1.0.4 app as well? Which kernel version also? Fully updated Suse install? When you open the developer javascript console, do you see any red errors? Errors in splunkd.log and django_error.log will help.
... View more
Hi etotman, which distribution is running on your linux search heads? We've tested with 64bit centos 6x and 7, as well as latest ubuntu in our lab with upgrading Splunk as well as the Windows Infrastructure app. Have you tried refreshing your browser/clearing your cache? Let us know, we're here to help.
... View more
Do you have a reason to use heavy forwarders on your Windows servers? The Universal Forwarder is normally sufficient. I'd recommend the Splunk Add-on for Windows (also known as ta-windows) for Windows data. Also the only add-ons included in the Windows Infrastructure app are for Domain Controllers and DNS servers specific to Active Directory. Otherwise, the ta-windows is the only add-on that is needed.
... View more
Hi there. The forwarders and the account they run as are the only ones that really matter in this case. The Indexers and Search Heads can run on any supported OS, so the Local System account won't be available there anyway. You can run with a domain account, but we recommend Local System if possible unless there is a need to run as a domain user for least privilege.
Thanks!
... View more
All steps are located on the documentation page for the app, located here:
http://docs.splunk.com/Documentation/MSApp/1.0.2/MSInfra/Platformandhardwarerequirements
... View more
Hi there. Have you deployed the TA-windows and turned on the inputs inside of it? Without the TA-windows (Splunk Add-on for Windows) you will not receive any Windows-related data.
... View more
Glad I could answer it. 🙂
Give it a try, check those boxes, and look at some of the user/computer/etc. related items under Active Directory in the navigation menu. You should start seeing your data show up given an appropriate time frame.
... View more
The searches for auto-detection in our First Time Run experience are only within the last 15 minutes, which would explain why you saw a computer event. If you explicitly check those items, you should see them show up in the pages associated with those items.
... View more
One reason may be that the index(es) used to house the DNS Server traffic may not be in your default-searched-indexes listing under the User role. Also, if you don't see "WinEventLog:DNS Server", you may see "WinEventLog:DNS-Server" (notice the dash). Searching in data summary for "dns" will reveal a bit more.
... View more
Hi there. The reason you're seeing DNS Server, is due to the TA-DNSServer-NT6 addon that is required that you have deployed to your DCs that has specific inputs for DNS Server related eventlogs. Hope this helps.
... View more
Hi there. Those lookups are shipped, not built. You may find them in the original download package for Windows Infrastructure under the lookups folder.
Thanks!
Jeff.
... View more
Which user is Splunk running as on the systems? What repro steps can you provide that will help us debug this?
Which version of Splunk are you using?
... View more