Splunk® Content Packs for ITSI and IT Essentials Work

Splunk Content Packs for ITSI and IT Essentials Work

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Troubleshoot the Content Pack for Windows Dashboards and Reports

Getting warning "Eventtype 'wineventlog-ds' does not exist or is disabled"

Problem

Getting warning "Eventtype 'wineventlog-ds' does not exist or is disabled" when a search is run in in the Search and Reporting app.

Cause

The Content Pack for Windows Dashboards and Reports depends on the Splunk Add-on for Windows. Because this content pack is enabled by default, if the Splunk Add-on for Windows isn't installed you will receive a warning when the searches in the content pack are run.

Solution

To resolve this disable the content pack Content Pack for Windows Dashboards and Reports.

Splunk Cloud Platform customers with ITSI and the Splunk App for Content Packs installed on a dedicated search-head environment can follow these steps to disable the content pack:

  1. Go to Manage apps.
  2. Search for "Content Pack for Windows Dashboards and Reports."
  3. Select Disable.

Splunk Cloud Platform customers with ITSI and the Splunk App for Content Packs installed on a search-head cluster environment can contact the CloudOps team to disable Content Pack for Windows Dashboards and Reports.

On-premises customers with ITSI and the Splunk App for Content Packs installed on a dedicated search head can follow these steps to disable the content pack:

  1. Go Manage apps.
  2. Search for "Content Pack for Windows Dashboards and Reports."
  3. Select Disable.

On-premises customers with ITSI and the Splunk App for Content Packs installed on a search-head cluster environment can follow these steps:

  1. Log in to deployer and go to the $SPLUNK_HOME/etc/shcluster/apps directory.
  2. Go to the DA-ITSI-CP-windows-dashboards directory in the $SPLUNK_HOME/etc/shcluster/apps directory.
  3. Go to the default directory and make a copy of the file app.conf to DA-ITSI-CP-windows-dashboards/local. If a local directory doesn't exist, create it.
  4. Go to local directory and open file app.conf in the local directory.
  5. Inside the [install] stanza, change the state = enabled to state = disabled.
  6. Save the change.
  7. From the deployer, run this command to deploy the updated apps to cluster members:
    splunk apply shcluster-bundle --answer-yes -target <URI>:<management_port> -auth <username>:<password>
    

Data isn't populated on deployment server

Problem

After you configure and deploy the Splunk Add-on for Windows, data isn't populated on the deployment server.

Solution

Check that data is populated:

  1. In the system bar, click Apps > Search & Reporting.
  2. Click Data Summary. Splunk brings up the data summary page with the Hosts tab active.
  3. Scan through the list of hostnames for the name of your deployment client.
  4. Note: If you do not see the deployment client hostname, then there is a problem occurring between the client at the indexer. Confirm that you have properly configured receiving on the indexer, you have properly configured the forwarder to forward data to the indexer, and no network issue exists between the deployment client and the indexer.

  5. Search through the data to see that all of the events you configured in the Splunk Add-on for Windows have been sent to the indexer.

If you don't see the events you expect, confirm that you have configured the Splunk Add-on for Windows for all inputs that you want it to collect.

Error message in status bar

Problem

An error message displays in status bar (at the top of your browser window):

External search command 'ldapsearch' returned error code 1. ERROR: com.unboundid.ldap.sdk.LDAPException: 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece

Cause

When the Content Pack for Windows Dashboards and Reports can't complete a search using the SA-ldapsearch supporting add-on, it notifies you by displaying an error message in status bar (at the top of your browser window).

The Content Pack for Windows Dashboards and Reports also writes a message to $SPLUNK_HOME/var/log/splunk/SA-ldapsearch.log, similar to this:

2012-08-10 14:58:34.108 -0700 pid=877 com.splunk.program.LDAPSearch:main#-1 ERROR Exception com.unboundid.ldap.sdk.LDAPException thrown: 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece^@

Solution

If you see an error message similar to this when performing a search, use the following table to decode the data value and resolve the error.

Data value Description Action steps
255 Either the domain was not found or there was a syntax error in the search command. Confirm that the domain that you want to monitor exists and is configured properly, or that your search string is properly formatted and syntactically correct.
525 The username provided in ldap.conf is not valid. Edit ldap.conf and provide the correct user, then restart your central Splunk instance.
52E The password provided in ldap.conf is not valid. Edit ldap.conf and provide the correct password, then restart your central Splunk instance.
530 The user account provided is not allowed to log into Active Directory at this time. Remove the user's log on time restrictions from within Active Directory, then try again.
531 The user account provided is not allowed to log into Active Directory from the current server. Modify the local security policy of the server from which the specified user is trying to log in to Active Directory, then try again.
532 The user account provided has an expired password. Change the user's password or set the "Password never expires" bit from within Active Directory, then try again.
533 The user account provided is disabled. Re-enable the user account from within Active Directory, then try again.
701 The user account provided has expired. Re-enable the user account from within Active Directory, then try again.
773 The user account provided has the "User must reset password at next logon" bit set. Un-set the "User must reset password at next logon" bit for the user account from within Active Directory, then try again.
775 The user account provided is locked because an incorrect password has been entered too many times. Re-enable the user account from within Active Directory and change the password to a known good one, then try again.

Cannot find the configuration stanza for domain

Issue

The external search command 'ldapsearch' returns error code 1. You will see a message similar to the following:

Script output = "error_message=Cannot find the configuration stanza for domain=" <your domain name>" in ldap.conf.

Check configuration of the SA-ldapsearch, as configuration errors can generate the LDAP error in Active directory dashboards.

Resolution

Make sure that all the domains are properly configured in the Splunk Supporting Add-on for Active Directory. For more information, see Configure the Splunk Supporting Add-on for Active Directory.

Dashboards are not Populating Data

Issue

The dashboards for the content pack do not display data.

Resolution

Check that the Splunk Add-on for Windows is configured properly. For more information, see Configure the Splunk Add-on for Windows.

Last modified on 20 September, 2021
PREVIOUS
Reports Reference for Content Pack for Windows Dashboards and Reports
  NEXT
Credits

This documentation applies to the following versions of Splunk® Content Packs for ITSI and IT Essentials Work: current


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters