About jbernt_splunk

jbernt_splunk · ‎07-15-2015

If you can do Raid 10 instead for hot/warm buckets, that would be best.

jbernt_splunk · ‎05-20-2015

Hello, unfortunately the Windows Infrastructure app v1.0.4 does not work with SHP/SHC at this time due to some issues with replication between search heads and shared storage. Look for an update soon to address this!

jbernt_splunk · ‎04-08-2015

Inside the Splunk App for Windows Infrastructure, there is a TA for TA-DNSServer-NT6 that should be used. It's for NT6 and above (including Windows Server 2012 R2. Thanks, Jeff.

jbernt_splunk · ‎04-01-2015

We may add additional functionality in the future, but this was a not a feature we could get in for the triage bar. Please do make the request using official channels so our team in charge of the app can see that it's an important feature request. 🙂

jbernt_splunk · ‎04-01-2015

Hi there, The build in dashboards in the Windows Infrastructure app are not meant to be edited. You may clone the dashboards and use those to make edits if/when necessary, but the built in ones should stay static. Also, these are not Splunk dashboards, but Windows Infrastructure dashboards which are specific to the app. Hope this helps.

jbernt_splunk · ‎02-18-2015

Technically it does function, just does not use the PowerShell modinput ^_^.

jbernt_splunk · ‎02-10-2015

Hi there. If you would, WinPrintMon should show as a Warning only, not an error. The key errors that are preventing you from moving on should be listed in addition to this WinPrintMon warning in the same section for the item that is not found.

jbernt_splunk · ‎01-23-2015

Adding the user to "winfra-admin" would be a better choice, since that is the role designed for the Windows Infrastructure app. 😉 Then alter the winfra-admin role to have the windowze index searched by default. That is why we designed our app this way, easier to use alternatively named indexes. Winfra-admin inherits from windows-admin, but as long as one of the two roles is used to search the other index by default, you should be good.

jbernt_splunk · ‎11-05-2014

Splunk 6.2.0 64bit? which package did you use to install? This will help us isolate the issue. Fresh install of the Windows Infrastructure 1.0.4 app as well? Which kernel version also? Fully updated Suse install? When you open the developer javascript console, do you see any red errors? Errors in splunkd.log and django_error.log will help.

jbernt_splunk · ‎11-04-2014

Hi etotman, which distribution is running on your linux search heads? We've tested with 64bit centos 6x and 7, as well as latest ubuntu in our lab with upgrading Splunk as well as the Windows Infrastructure app. Have you tried refreshing your browser/clearing your cache? Let us know, we're here to help.

jbernt_splunk · ‎09-09-2014

Do you have a reason to use heavy forwarders on your Windows servers? The Universal Forwarder is normally sufficient. I'd recommend the Splunk Add-on for Windows (also known as ta-windows) for Windows data. Also the only add-ons included in the Windows Infrastructure app are for Domain Controllers and DNS servers specific to Active Directory. Otherwise, the ta-windows is the only add-on that is needed.

jbernt_splunk · ‎09-09-2014

Hello. The UseEnglishOnly tag can be fixed with the latest TA-Windows 4.7.1. The other warnings can be ignored safely.

jbernt_splunk · ‎09-08-2014

Hi there. The forwarders and the account they run as are the only ones that really matter in this case. The Indexers and Search Heads can run on any supported OS, so the Local System account won't be available there anyway. You can run with a domain account, but we recommend Local System if possible unless there is a need to run as a domain user for least privilege. Thanks!

jbernt_splunk · ‎08-13-2014

All steps are located on the documentation page for the app, located here: http://docs.splunk.com/Documentation/MSApp/1.0.2/MSInfra/Platformandhardwarerequirements

jbernt_splunk · ‎08-11-2014

Don't forget there's a configuration step as well to turn on the inputs.

jbernt_splunk · ‎08-11-2014

Hi there. Have you deployed the TA-windows and turned on the inputs inside of it? Without the TA-windows (Splunk Add-on for Windows) you will not receive any Windows-related data.

jbernt_splunk · ‎07-07-2014

Hello. Yes, the TA-DNSServer-NT6 will work on Windows Server 2012 R2.

jbernt_splunk · ‎06-10-2014

Glad I could answer it. 🙂 Give it a try, check those boxes, and look at some of the user/computer/etc. related items under Active Directory in the navigation menu. You should start seeing your data show up given an appropriate time frame.

jbernt_splunk · ‎06-09-2014

The searches for auto-detection in our First Time Run experience are only within the last 15 minutes, which would explain why you saw a computer event. If you explicitly check those items, you should see them show up in the pages associated with those items.

jbernt_splunk · ‎05-30-2014

Have you configured the SA-ldapsearch/local/ldap.conf yet and turned on Auditing?

jbernt_splunk · ‎05-30-2014

What OS? What version of Splunk? Which version of the App? Which log file are you seeing these errors in?

jbernt_splunk · ‎05-29-2014

One reason may be that the index(es) used to house the DNS Server traffic may not be in your default-searched-indexes listing under the User role. Also, if you don't see "WinEventLog:DNS Server", you may see "WinEventLog:DNS-Server" (notice the dash). Searching in data summary for "dns" will reveal a bit more.

jbernt_splunk · ‎05-29-2014

Hi there. The reason you're seeing DNS Server, is due to the TA-DNSServer-NT6 addon that is required that you have deployed to your DCs that has specific inputs for DNS Server related eventlogs. Hope this helps.

jbernt_splunk · ‎05-05-2014

Hi there. Those lookups are shipped, not built. You may find them in the original download package for Windows Infrastructure under the lookups folder. Thanks! Jeff.

jbernt_splunk · ‎04-21-2014

Which user is Splunk running as on the systems? What repro steps can you provide that will help us debug this? Which version of Splunk are you using?

Posts	70
Solutions	13
Karma Given	42
Karma Received	42
Member Since	‎04-29-2013

Online Status	Offline
Date Last Visited	‎06-05-2020 02:03 AM

Re: Raid 6, setting up for performance issues?

Re: Does Splunk App for Windows Infrastructure (1....

Re: Is there an Add-on for DNS Server running on W...

Re: How do I edit the dashboards within the Splunk...

Re: How do I edit the dashboards within the Splunk...

Re: Powershell script consuming memory

Re: How to get past "Check Data" screen in Splunk ...

Re: Splunk App for Windows Infrastructure: How to ...

Re: After upgrading to Splunk 6.2 the App for Wind...

Re: After upgrading to Splunk 6.2 the App for Wind...

Re: If I plan to install heavy forwarders on Windo...

Re: "No spec file" and "Invalid key in stanza" whe...

Re: Should we install forwarders, indexers and sea...

Re: Why are there missing metrics in performance d...

Re: Why are there missing metrics in performance d...

Re: Why are there missing metrics in performance d...

Re: Is there a new TA for 2012 DNS servers or will...

Re: App for Windows Infrastructure can't track AD ...

Re: App for Windows Infrastructure can't track AD ...

Re: Splunk app for windows infrastructure no Activ...

Re: Windows Infrastructure App - AttributeError: '...

Re: Why is Search & Reporting not displaying expec...

Re: Why is Search & Reporting not displaying expec...

Re: Splunk App for Windows Infrastructure Not Buil...

Re: Windows Infrastructure app and Invalid Languag...