Splunk® App for Windows Infrastructure

Deploy and Use the Splunk App for Windows Infrastructure

Download manual as PDF

Download topic as PDF

Confirm and troubleshoot Windows data collection

This topic discusses how to confirm and troubleshoot data collection from the Splunk Add-on for Windows.

Check the indexer for data

After you configure and deploy the Splunk Add-on for Windows into your deployment client, you should check the deployment server to see that data has arrived. The fastest way to do that is to load the Search and Reporting app and view the Data Summary:

  1. In the system bar, click Apps > Search & Reporting. Splunk Enterprise loads the Search & Reporting app.
  2. Click Data Summary. Splunk brings up the data summary page with the "Hosts" tab active.
  3. Scan through the list of host names for the name of your deployment client.
    • If you do not see the deployment client host name, then there is a problem occurring between the client at the indexer. Confirm that:
      • You have properly configured receiving on the indexer.
      • You have properly configured the "send to indexer" app to forward data to the indexer.
      • No network issue exists between the deployment client and the indexer.
  4. Click the host name in the list. Splunk Enterprise brings up a search window that displays all events associated with the deployment client host name.
  5. Search through the data to see that all of the events you configured in the Splunk Add-on for Windows have been sent to the indexer. See "Sample searches and dashboards."
  • If you do not see the events you expect, try these steps:
    • Confirm that you have configured the Splunk Add-on for Windows for all inputs that you want it to collect.
    • Confirm that you have placed the add-on in the deployment apps directory and reloaded the deployment server.
    • Confirm that the deployment client does not have errors attempting to collect the data.
    • More troubleshooting steps are available in the Splunk Troubleshooting manual.

What's next?

You have configured and deployed the Splunk Add-on for Windows to your deployment clients. This now means that Windows data is present on the indexer.

The next step is to get Active Directory data onto the indexer.

PREVIOUS
Deploy the Splunk Add-on for Windows
  NEXT
Sample searches and dashboards

This documentation applies to the following versions of Splunk® App for Windows Infrastructure: 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.5.0, 1.5.1, 1.5.2, 2.0.0


Comments

Strictly following instructions in this "Splunk App for Windows Infrastructure" chapter, will cause that no Windows data appear in Data Summary in step 2., because section "Install and configure a Splunk platform indexer" creates indexes that are not added to the default indexes of the role of the user.
The best is to add a step before 1. like this:
In the system bar, click Settings, Access controls, click on Roles, select user in use rol, in section Indexes searched by Default add perfmon, winevtlog and msad

Amontoya1
April 12, 2018

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters