Content Pack for Windows Dashboards and Reports

Content Pack for Windows Dashboards and Reports

This documentation does not apply to the most recent version of Content Pack for Windows Dashboards and Reports. For documentation on the most recent version, go to the latest release.

Troubleshoot the Content Pack for Windows Dashboards and Reports

The Content Pack for Windows Dashboards and Reports relies on the Splunk Add-on for Windows and the Splunk Supporting Add-on for Active Directory for data input collection and knowledge object management. When troubleshooting, determine whether the issue you are experiencing is relevant to the content pack or to the add-ons.

Here are some common issues in Content Pack for Windows Dashboards and Reports and how to resolve them:

Getting warning "Eventtype 'wineventlog-ds' does not exist or is disabled"

Problem

Getting warning "Eventtype 'wineventlog-ds' does not exist or is disabled" when a search is run in the Search and Reporting app.

Cause

The Content Pack for Windows Dashboards and Reports depends on the Splunk Add-on for Windows. Because this content pack is enabled by default, if the Splunk Add-on for Windows is not installed you receive this warning when the searches in the content pack are run.

Solution

To resolve this disable the content pack Content Pack for Windows Dashboards and Reports.

Splunk Cloud Platform customers with ITSI and the Splunk App for Content Packs installed on a dedicated search-head environment can follow these steps to disable the content pack:

  1. Go to Manage apps.
  2. Search for "Content Pack for Windows Dashboards and Reports."
  3. Select Disable.

Splunk Cloud Platform customers with ITSI and the Splunk App for Content Packs installed on a search-head cluster environment can contact the CloudOps team to disable Content Pack for Windows Dashboards and Reports.

On-premises customers with ITSI and the Splunk App for Content Packs installed on a dedicated search head can follow these steps to disable the content pack:

  1. Go Manage apps.
  2. Search for "Content Pack for Windows Dashboards and Reports."
  3. Select Disable.

On-premises customers with ITSI and the Splunk App for Content Packs installed on a search-head cluster environment can follow these steps:

  1. Log in to deployer and go to the $SPLUNK_HOME/etc/shcluster/apps directory.
  2. Go to the DA-ITSI-CP-windows-dashboards directory in the $SPLUNK_HOME/etc/shcluster/apps directory.
  3. Go to the default directory and make a copy of the file app.conf to DA-ITSI-CP-windows-dashboards/local. If a local directory doesn't exist, create it.
  4. Go to local directory and open file app.conf in the local directory.
  5. Inside the [install] stanza, change the state = enabled to state = disabled.
  6. Save the change.
  7. From the deployer, run this command to deploy the updated apps to cluster members:
    splunk apply shcluster-bundle --answer-yes -target <URI>:<management_port> -auth <username>:<password>
    

Data isn't populated on the deployment server

Problem

After you configure and deploy the Splunk Add-on for Windows, data isn't getting populated on the deployment server.

Solution

Perform the following steps to check that data is populated on the deployment server:

  1. In the system bar, click Apps > Search & Reporting.
  2. Click Data Summary. The data summary page shows the Hosts tab as active.
  3. Scan through the list of hostnames for the name of your deployment client.
  4. If you do not see the deployment client hostname, then there is a problem occurring between the client at the indexer. Confirm that you have properly configured receiving on the indexer, you have properly configured the forwarder to forward data to the indexer, and no network issue exists between the deployment client and the indexer.

  5. Search through the data to see that all of the events you configured in the Splunk Add-on for Windows have been sent to the indexer.

If you don't see the events you expect, confirm that you have configured the Splunk Add-on for Windows for all inputs that you want it to collect.

Error message in status bar

Problem

The following error message displays in status bar at the top of your browser window:

External search command 'ldapsearch' returned error code 1. ERROR: com.unboundid.ldap.sdk.LDAPException: 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece

Cause

When the Content Pack for Windows Dashboards and Reports can't complete a search using the SA-ldapsearch supporting add-on, it notifies you by displaying an error message in the status bar at the top of your browser window.

The Content Pack for Windows Dashboards and Reports also writes a message to $SPLUNK_HOME/var/log/splunk/SA-ldapsearch.log, similar to the following:

2012-08-10 14:58:34.108 -0700 pid=877 com.splunk.program.LDAPSearch:main#-1 ERROR Exception com.unboundid.ldap.sdk.LDAPException thrown: 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece^@

Solution

If you see an error message when performing a search, use the following table to decode the data value and resolve the error:

Data value Description Action steps
255 Either the domain was not found or there was a syntax error in the search command. Confirm that the domain that you want to monitor exists and is configured properly, or that your search string is properly formatted and syntactically correct.
525 The username provided in ldap.conf is not valid. Edit ldap.conf and provide the correct user, then restart your central Splunk instance.
52E The password provided in ldap.conf is not valid. Edit ldap.conf and provide the correct password, then restart your central Splunk instance.
530 The user account provided is not allowed to log into Active Directory at this time. Remove the user's log on time restrictions from within Active Directory, then try again.
531 The user account provided is not allowed to log into Active Directory from the current server. Modify the local security policy of the server from which the specified user is trying to log in to Active Directory, then try again.
532 The user account provided has an expired password. Change the user's password or set the "Password never expires" bit from within Active Directory, then try again.
533 The user account provided is disabled. Re-enable the user account from within Active Directory, then try again.
701 The user account provided has expired. Re-enable the user account from within Active Directory, then try again.
773 The user account provided has the "User must reset password at next logon" bit set. Un-set the "User must reset password at next logon" bit for the user account from within Active Directory, then try again.
775 The user account provided is locked because an incorrect password has been entered too many times. Re-enable the user account from within Active Directory and change the password to a known good one, then try again.

Cannot find the configuration stanza for domain

Problem

The external search command 'ldapsearch' returns error code 1. You will see a message similar to the following:

Script output = "error_message=Cannot find the configuration stanza for domain=" <your domain name>" in ldap.conf.

Check configuration of the SA-ldapsearch, as configuration errors can generate the LDAP error in Active directory dashboards.

Solution

Make sure that all the domains are properly configured in the Splunk Supporting Add-on for Active Directory. For more information, see Configure the Splunk Supporting Add-on for Active Directory.

Dashboards are not populating data

Problem

The dashboards for the content pack do not display data.

Solution

Check that the Splunk Add-on for Windows is configured properly. For more information, see Configure the Splunk Add-on for Windows.

Last modified on 23 February, 2023
Get Active Directory data   Dashboard reference for the Content Pack for Windows Dashboards and Reports

This documentation applies to the following versions of Content Pack for Windows Dashboards and Reports: 1.2.0, 1.2.1, 1.2.2, 1.3.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters