Splunk® Add-on for Windows

Deploy and Use the Splunk Add-on for Windows

Troubleshoot the Splunk Add-on for Windows

For troubleshooting tips that you can apply to all add-ons, see Troubleshoot add-ons in Splunk Add-ons. For additional resources, see Support and resource links for add-ons in Splunk Add-ons.

Field dest not properly extracted

Field dest not extracted properly for sources WinEventLog:System, XmlWinEventLog:System, XmlWinEventLog:Security, or WinEventLog:Security.

The field dest is extracted from the stanza Computer_as_dest, which is configured in default/transforms.conf. The value for this field may include "." separated values, for instance WB-DEATHSTAR.VADER. In the add-on version 8.0.0, this has been updated so that it extracts the entire value. For example:

[Computer_as_dest]
REGEX = <Computer>([^<]+)<\/Computer>
FORMAT = dest::$1

If, however, the expected value of the field is that the value should break at the ".", then the regex in the stanza can be changed as follows:

[Computer_as_dest]
REGEX = <Computer>([^.<]+).*?<\/Computer>
FORMAT = dest::$1

Cannot launch add-on

This add-on does not have views and is not intended to be visible in Splunk Web. If you are trying to launch or load views for this add-on and you are experiencing results you do not expect, turn off visibility for the add-on.

For more details about add-on visibility and instructions for turning visibility off, see Troubleshoot add-ons in Splunk Add-ons.

Upgrading from a previous version

If you recently upgraded to the Splunk Add-on for Windows version 6.0.0 and are experiencing data loss, you might have incorrectly upgraded your add-on. See Upgrade the Splunk Add-on for Windows for instructions on upgrading your add-on.

Potential data duplication issues

Windows 8, Windows 8.1, Windows Server 2012, Windows 2008R2, and Windows 2012R2 overwrite the WindowsUpdate.Log file after it reaches a certain size, and then truncate the log file from the beginning. The size of the truncation depends on the size of new events. This may cause data duplication.

In Windows 10 And Windows Server 2016, the Get-WindowsUpdateLog command will generate a static WindowsUpdate.log file every time the command runs. This causes re-indexing of the entire file, which may cause data duplication.

Troubleshooting searches

Use the following searches to check that the Splunk Add-on for Windows is properly configured.

Run the following search to see the count of events by sourcetype collected by the Splunk Add-on for Windows. If you are not using a custom index, run the following search with index=main.

index=<your custom index name here> | stats count by sourcetype

If the search does not return the expected sourcetypes, check the following.

  • You have enabled the inputs included with the Splunk Add-on for Windows on each forwarder that runs the add-on.
  • You have installed the add-on into the indexers or heavy forwarders in your deployment
  • If you have changed the index names in inputs.conf, make sure that the custom indexes are present on all forwarders and indexers.

Run the following search to see if Windows Event Log and performance metric data are present in Splunk Enterprise.

eventtype=wineventlog_windows OR eventtype=perfmon_windows

If the search does not return the expected events, check the following.

If the search does not return expected events, make sure that you have installed the Splunk Add-on for Windows on all search heads in your Splunk Enterprise deployment.

Events missing from Splunk software

If you are noticing dropped events in your Splunk platform, it may be a result of a setting in the Windows Utility Viewer. Follow the steps below to avoid event override.

  1. From a Windows desktop, open the Event Viewer desktop application.
  2. From the Event Viewer navigation tree, select Windows Logs.
  3. Right-click the log whose log size needs to be increased and select Properties.
  4. Check to see if Enable logging is selected. If not, select Enable logging.
  5. In the Maximum log size field, specify a size based on your own requirements.
  6. In the When maximum event log size is reached, select Overwrite events as needed (oldest events first).

Third party field extractions errors

The Splunk Add-on for Windows 5.0.x removes NTSyslog, Snare, MonitorWare, and Enterprise Security 2.0.2 field extractions. See Upgrade the Splunk Add-on for Windows for instructions on how to successfully upgrade the Splunk Add-on for Windows.

Splunk events are sent to main index

The indexes.conf file was removed in the Splunk Add-on for Windows version 5.0.x. See Upgrade the Splunk Add-on for Windows for instructions on how to successfully upgrade the Splunk Add-on for Windows.

Error: "The following error occurred: The service has not been started. " for TimeSyncConfiguration or TimeSyncStatus

If you see the following error in your logs for sourcetype=Script:TimesyncConfiguration or sourcetype=Script:TimesyncStatus, enable the Windows Time service.

Steps

  1. From the Windows desktop, open the Run app.
  2. Search for the services.msc file
  3. In the services.msc file, select Windows Time
  4. Click on Properties and change the service status to start and change start type to automatic.
  5. Save your changes.

Searches for WinEventLogs are not returning older events

Searching for sourcetype=WinEventLog or sourcetype=XmlWinEventLog does not return already indexed events. See source and sourcetype changes.

"File $SplunkHome\bin\splunk-powershell.ps1 cannot be loaded because running scripts is disabled on this system"

This issue is caused by an execution policy issue on your Microsoft Windows system. See about Execution Policies for more information on configuring execution policies on your Microsoft Windows deployment.

Last modified on 26 March, 2021
Configure the Splunk Add-on for Windows   Lookups for the Splunk Add-on for Windows

This documentation applies to the following versions of Splunk® Add-on for Windows: 8.1.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters