Troubleshoot the Content Pack for Windows Dashboards and Reports
The Content Pack for Windows Dashboards and Reports relies on the Splunk Add-on for Windows and the Splunk Supporting Add-on for Active Directory for data input collection and knowledge object management. When troubleshooting, determine whether the issue you are experiencing is relevant to the content pack or to the add-ons.
Here are some common issues in Content Pack for Windows Dashboards and Reports and how to resolve them:
Getting warning "Eventtype 'wineventlog-ds' does not exist or is disabled"
Problem
Getting warning "Eventtype 'wineventlog-ds' does not exist or is disabled" when a search is run in the Search and Reporting app.
Cause
The Content Pack for Windows Dashboards and Reports depends on the Splunk Add-on for Windows. Because this content pack is enabled by default, if the Splunk Add-on for Windows is not installed you receive this warning when the searches in the content pack are run.
Solution
To resolve this disable the content pack Content Pack for Windows Dashboards and Reports.
Splunk Cloud Platform customers with ITSI and the Splunk App for Content Packs installed on a dedicated search-head environment can follow these steps to disable the content pack:
- Go to Manage apps.
- Search for "Content Pack for Windows Dashboards and Reports."
- Select Disable.
Splunk Cloud Platform customers with ITSI and the Splunk App for Content Packs installed on a search-head cluster environment can contact the CloudOps team to disable Content Pack for Windows Dashboards and Reports.
On-premises customers with ITSI and the Splunk App for Content Packs installed on a dedicated search head can follow these steps to disable the content pack:
- Go Manage apps.
- Search for "Content Pack for Windows Dashboards and Reports."
- Select Disable.
On-premises customers with ITSI and the Splunk App for Content Packs installed on a search-head cluster environment can follow these steps:
- Log in to deployer and go to the $SPLUNK_HOME/etc/shcluster/apps directory.
- Go to the DA-ITSI-CP-windows-dashboards directory in the $SPLUNK_HOME/etc/shcluster/apps directory.
- Go to the default directory and make a copy of the file app.conf to DA-ITSI-CP-windows-dashboards/local. If a local directory doesn't exist, create it.
- Go to local directory and open file app.conf in the local directory.
- Inside the [install] stanza, change the
state = enabled
tostate = disabled
. - Save the change.
- From the deployer, run this command to deploy the updated apps to cluster members:
splunk apply shcluster-bundle --answer-yes -target <URI>:<management_port> -auth <username>:<password>
Data isn't populated on the deployment server
Problem
After you configure and deploy the Splunk Add-on for Windows, data isn't getting populated on the deployment server.
Solution
Perform the following steps to check that data is populated on the deployment server:
- In the system bar, click Apps > Search & Reporting.
- Click Data Summary. The data summary page shows the Hosts tab as active.
- Scan through the list of hostnames for the name of your deployment client.
- Search through the data to see that all of the events you configured in the Splunk Add-on for Windows have been sent to the indexer.
If you do not see the deployment client hostname, then there is a problem occurring between the client at the indexer. Confirm that you have properly configured receiving on the indexer, you have properly configured the forwarder to forward data to the indexer, and no network issue exists between the deployment client and the indexer.
If you don't see the events you expect, confirm that you have configured the Splunk Add-on for Windows for all inputs that you want it to collect.
Error message in status bar
Problem
The following error message displays in status bar at the top of your browser window:
External search command 'ldapsearch' returned error code 1. ERROR: com.unboundid.ldap.sdk.LDAPException: 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece
Cause
When the Content Pack for Windows Dashboards and Reports can't complete a search using the SA-ldapsearch supporting add-on, it notifies you by displaying an error message in the status bar at the top of your browser window.
The Content Pack for Windows Dashboards and Reports also writes a message to $SPLUNK_HOME/var/log/splunk/SA-ldapsearch.log, similar to the following:
2012-08-10 14:58:34.108 -0700 pid=877 com.splunk.program.LDAPSearch:main#-1 ERROR Exception com.unboundid.ldap.sdk.LDAPException thrown: 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece^@
Solution
If you see an error message when performing a search, use the following table to decode the data value and resolve the error:
Data value | Description | Action steps |
---|---|---|
255 | Either the domain was not found or there was a syntax error in the search command. | Confirm that the domain that you want to monitor exists and is configured properly, or that your search string is properly formatted and syntactically correct. |
525 | The username provided in ldap.conf is not valid. | Edit ldap.conf and provide the correct user, then restart your central Splunk instance. |
52E | The password provided in ldap.conf is not valid. | Edit ldap.conf and provide the correct password, then restart your central Splunk instance. |
530 | The user account provided is not allowed to log into Active Directory at this time. | Remove the user's log on time restrictions from within Active Directory, then try again. |
531 | The user account provided is not allowed to log into Active Directory from the current server. | Modify the local security policy of the server from which the specified user is trying to log in to Active Directory, then try again. |
532 | The user account provided has an expired password. | Change the user's password or set the "Password never expires" bit from within Active Directory, then try again. |
533 | The user account provided is disabled. | Re-enable the user account from within Active Directory, then try again. |
701 | The user account provided has expired. | Re-enable the user account from within Active Directory, then try again. |
773 | The user account provided has the "User must reset password at next logon" bit set. | Un-set the "User must reset password at next logon" bit for the user account from within Active Directory, then try again. |
775 | The user account provided is locked because an incorrect password has been entered too many times. | Re-enable the user account from within Active Directory and change the password to a known good one, then try again. |
Cannot find the configuration stanza for domain
Problem
The external search command 'ldapsearch' returns error code 1. You will see a message similar to the following:
Script output = "error_message=Cannot find the configuration stanza for domain=" <your domain name>" in ldap.conf.
Check configuration of the SA-ldapsearch, as configuration errors can generate the LDAP error in Active directory dashboards.
Solution
Make sure that all the domains are properly configured in the Splunk Supporting Add-on for Active Directory. For more information, see Configure the Splunk Supporting Add-on for Active Directory.
Dashboards are not populating data
Problem
The dashboards for the content pack do not display data.
Solution
Check that the Splunk Add-on for Windows is configured properly. For more information, see Configure the Splunk Add-on for Windows.
Get Active Directory data | Dashboard reference for the Content Pack for Windows Dashboards and Reports |
This documentation applies to the following versions of Content Pack for Windows Dashboards and Reports: 1.2.0, 1.2.1, 1.2.2, 1.3.0
Feedback submitted, thanks!