Troubleshoot the Splunk Add-on for Windows
For troubleshooting tips that you can apply to all add-ons, see Troubleshoot add-ons in Splunk Add-ons. For additional resources, see Support and resource links for add-ons in Splunk Add-ons.
Field dest not properly extracted
Field dest not extracted properly for sources WinEventLog:System
, XmlWinEventLog:System
, XmlWinEventLog:Security
, or WinEventLog:Security.
The field dest is extracted from the stanza Computer_as_dest
, which is configured in default/transforms.conf
. The value for this field may include "." separated values, for instance WB-DEATHSTAR.VADER
. In the add-on version 8.0.0, this has been updated so that it extracts the entire value. For example:
[Computer_as_dest] REGEX = <Computer>([^<]+)<\/Computer> FORMAT = dest::$1
If, however, the expected value of the field is that the value should break at the ".", then the regex in the stanza can be changed as follows:
[Computer_as_dest] REGEX = <Computer>([^.<]+).*?<\/Computer> FORMAT = dest::$1
Cannot launch add-on
This add-on does not have views and is not intended to be visible in Splunk Web. If you are trying to launch or load views for this add-on and you are experiencing results you do not expect, turn off visibility for the add-on.
For more details about add-on visibility and instructions for turning visibility off, see Troubleshoot add-ons in Splunk Add-ons.
Upgrading from a previous version
If you recently upgraded to the Splunk Add-on for Windows version 6.0.0 and are experiencing data loss, you might have incorrectly upgraded your add-on. See Upgrade the Splunk Add-on for Windows for instructions on upgrading your add-on.
Potential data duplication issues
Windows 8, Windows 8.1, Windows Server 2012, Windows 2008R2, and Windows 2012R2 overwrite the WindowsUpdate.Log
file after it reaches a certain size, and then truncate the log file from the beginning. The size of the truncation depends on the size of new events. This may cause data duplication.
In Windows 10 And Windows Server 2016, the Get-WindowsUpdateLog
command will generate a static WindowsUpdate.log
file every time the command runs. This causes re-indexing of the entire file, which may cause data duplication.
Troubleshooting searches
Use the following searches to check that the Splunk Add-on for Windows is properly configured.
Run the following search to see the count of events by sourcetype collected by the Splunk Add-on for Windows. If you are not using a custom index, run the following search with index=main
.
index=<your custom index name here> | stats count by sourcetype
If the search does not return the expected sourcetypes, check the following.
- You have enabled the inputs included with the Splunk Add-on for Windows on each forwarder that runs the add-on.
- You have installed the add-on into the indexers or heavy forwarders in your deployment
- If you have changed the index names in
inputs.conf
, make sure that the custom indexes are present on all forwarders and indexers.
Run the following search to see if Windows Event Log and performance metric data are present in Splunk Enterprise.
eventtype=wineventlog_windows OR eventtype=perfmon_windows
If the search does not return the expected events, check the following.
- You have the "windows_admin" role added to your user. See the Configure users and roles section in Upgrade the Splunk Add-on for Windows.
If the search does not return expected events, make sure that you have installed the Splunk Add-on for Windows on all search heads in your Splunk Enterprise deployment.
Events missing from Splunk software
If you are noticing dropped events in your Splunk platform, it may be a result of a setting in the Windows Utility Viewer. Follow the steps below to avoid event override.
- From a Windows desktop, open the Event Viewer desktop application.
- From the Event Viewer navigation tree, select Windows Logs.
- Right-click the log whose log size needs to be increased and select Properties.
- Check to see if Enable logging is selected. If not, select Enable logging.
- In the Maximum log size field, specify a size based on your own requirements.
- In the When maximum event log size is reached, select Overwrite events as needed (oldest events first).
Third party field extractions errors
The Splunk Add-on for Windows 5.0.x removes NTSyslog, Snare, MonitorWare, and Enterprise Security 2.0.2 field extractions. See Upgrade the Splunk Add-on for Windows for instructions on how to successfully upgrade the Splunk Add-on for Windows.
Splunk events are sent to main index
The indexes.conf
file was removed in the Splunk Add-on for Windows version 5.0.x. See Upgrade the Splunk Add-on for Windows for instructions on how to successfully upgrade the Splunk Add-on for Windows.
Error: "The following error occurred: The service has not been started. " for TimeSyncConfiguration or TimeSyncStatus
If you see the following error in your logs for sourcetype=Script:TimesyncConfiguration or sourcetype=Script:TimesyncStatus, enable the Windows Time service.
Steps
- From the Windows desktop, open the Run app.
- Search for the services.msc file
- In the services.msc file, select Windows Time
- Click on Properties and change the service status to start and change start type to automatic.
- Save your changes.
Searches for WinEventLogs are not returning older events
Searching for sourcetype=WinEventLog
or sourcetype=XmlWinEventLog
does not return already indexed events. See source and sourcetype changes.
"File $SplunkHome\bin\splunk-powershell.ps1 cannot be loaded because running scripts is disabled on this system"
This issue is caused by an execution policy issue on your Microsoft Windows system. See about Execution Policies for more information on configuring execution policies on your Microsoft Windows deployment.
Windows Update log in unknown format for Win 2016 and above version
If you see that Windows Update Logs are in an unknown format for Win 2016 and above, you need to get the output of WindowsUpdate.log in the correct format. You need administrative rights to run the command Get-WindowsUpdateLog
which is directly a Microsoft Windows requirement. See https://docs.microsoft.com/en-gb/archive/blogs/charlesa_us/windows-10-windowsupdate-log-and-how-to-view-it-with-powershell-or-tracefmt-exe for more information.
To get the output of WindowsUpdate.log in the correct format, do the following steps:
- Run the Splunk platform as an admin user.
- Select search > run > services.msc.
- After the services tab opens, select the Splunkd or Splunkd Service then go to Properties.
- Select the Log On tab. Select the second option, log on as "This account", browse the account and type the password and confirm password for that account and apply the changes.
- Stop the Splunkd or Splunkd Service and then start it again.
Configure the Splunk Add-on for Windows | Lookups for the Splunk Add-on for Windows |
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Feedback submitted, thanks!