Troubleshoot the Splunk Add-on for Windows
Field dest not properly extracted
Field dest not extracted properly for sources
XmlWinEventLog:Security, or WinEventLog:Security.
The field dest is extracted from the stanza
Computer_as_dest, which is configured in
default/transforms.conf. The value for this field may include "." separated values, for instance
WB-DEATHSTAR.VADER. In the add-on version 8.0.0, this has been updated so that it extracts the entire value. For example:
[Computer_as_dest] REGEX = <Computer>([^<]+)<\/Computer> FORMAT = dest::$1
If, however, the expected value of the field is that the value should break at the ".", then the regex in the stanza can be changed as follows:
[Computer_as_dest] REGEX = <Computer>([^.<]+).*?<\/Computer> FORMAT = dest::$1
Cannot launch add-on
This add-on does not have views and is not intended to be visible in Splunk Web. If you are trying to launch or load views for this add-on and you are experiencing results you do not expect, turn off visibility for the add-on.
For more details about add-on visibility and instructions for turning visibility off, see Troubleshoot add-ons in Splunk Add-ons.
Upgrading from a previous version
If you recently upgraded to the Splunk Add-on for Windows version 6.0.0 and are experiencing data loss, you might have incorrectly upgraded your add-on. See Upgrade the Splunk Add-on for Windows for instructions on upgrading your add-on.
Potential data duplication issues
Windows 8, Windows 8.1, Windows Server 2012, Windows 2008R2, and Windows 2012R2 overwrite the
WindowsUpdate.Log file after it reaches a certain size, and then truncate the log file from the beginning. The size of the truncation depends on the size of new events. This may cause data duplication.
In Windows 10 And Windows Server 2016, the
Get-WindowsUpdateLog command will generate a static
WindowsUpdate.log file every time the command runs. This causes re-indexing of the entire file, which may cause data duplication.
Use the following searches to check that the Splunk Add-on for Windows is properly configured.
Run the following search to see the count of events by sourcetype collected by the Splunk Add-on for Windows. If you are not using a custom index, run the following search with
index=<your custom index name here> | stats count by sourcetype
If the search does not return the expected sourcetypes, check the following.
- You have enabled the inputs included with the Splunk Add-on for Windows on each forwarder that runs the add-on.
- You have installed the add-on into the indexers or heavy forwarders in your deployment
- If you have changed the index names in
inputs.conf, make sure that the custom indexes are present on all forwarders and indexers.
Run the following search to see if Windows Event Log and performance metric data are present in Splunk Enterprise.
eventtype=wineventlog_windows OR eventtype=perfmon_windows
If the search does not return the expected events, check the following.
- You have the "windows_admin" role added to your user. See the Configure users and roles section in Upgrade the Splunk Add-on for Windows.
If the search does not return expected events, make sure that you have installed the Splunk Add-on for Windows on all search heads in your Splunk Enterprise deployment.
Events missing from Splunk software
If you are noticing dropped events in your Splunk platform, it may be a result of a setting in the Windows Utility Viewer. Follow the steps below to avoid event override.
- From a Windows desktop, open the Event Viewer desktop application.
- From the Event Viewer navigation tree, select Windows Logs.
- Right-click the log whose log size needs to be increased and select Properties.
- Check to see if Enable logging is selected. If not, select Enable logging.
- In the Maximum log size field, specify a size based on your own requirements.
- In the When maximum event log size is reached, select Overwrite events as needed (oldest events first).
Third party field extractions errors
The Splunk Add-on for Windows 5.0.x removes NTSyslog, Snare, MonitorWare, and Enterprise Security 2.0.2 field extractions. See Upgrade the Splunk Add-on for Windows for instructions on how to successfully upgrade the Splunk Add-on for Windows.
Splunk events are sent to main index
indexes.conf file was removed in the Splunk Add-on for Windows version 5.0.x. See Upgrade the Splunk Add-on for Windows for instructions on how to successfully upgrade the Splunk Add-on for Windows.
Error: "The following error occurred: The service has not been started. " for TimeSyncConfiguration or TimeSyncStatus
If you see the following error in your logs for sourcetype=Script:TimesyncConfiguration or sourcetype=Script:TimesyncStatus, enable the Windows Time service.
- From the Windows desktop, open the Run app.
- Search for the services.msc file
- In the services.msc file, select Windows Time
- Click on Properties and change the service status to start and change start type to automatic.
- Save your changes.
Searches for WinEventLogs are not returning older events
sourcetype=XmlWinEventLog does not return already indexed events. See source and sourcetype changes.
"File $SplunkHome\bin\splunk-powershell.ps1 cannot be loaded because running scripts is disabled on this system"
This issue is caused by an execution policy issue on your Microsoft Windows system. See about Execution Policies for more information on configuring execution policies on your Microsoft Windows deployment.
Configure the Splunk Add-on for Windows
Lookups for the Splunk Add-on for Windows
This documentation applies to the following versions of Splunk® Supported Add-ons: released