Skip to content

Troubleshoot the Splunk Add-on for Windows

For helpful troubleshooting tips for all add-ons, see Troubleshoot add-ons in the Splunk Add-ons manual. For additional resources, see Support and resource links for add-ons in the Splunk Add-ons manual.

Field dest not properly extracted

Field dest not extracted properly for sources WinEventLog:System, XmlWinEventLog:System, XmlWinEventLog:Security, or WinEventLog:Security

The field dest is extracted from the stanza Computer_as_dest, which is configured in default/transforms.conf. The value for this field may include “.” separated values, for instance WB-DEATHSTAR.VADER. In the add-on version 8.0.0, this has been updated so that it extracts the entire value. For example:

[Computer_as_dest]
REGEX = <Computer>([^<]+)<\/Computer>
FORMAT = dest::$1

If, however, the expected value of the field is that the value should break at the “.”, then the regex in the stanza can be changed as follows:

[Computer_as_dest]
REGEX = <Computer>([^.<]+).*?<\/Computer>
FORMAT = dest::$1

Cannot launch add-on

This add-on does not have views and is not intended to be visible inc Splunk Web. If you are trying to launch or load views for this add-on and you are experiencing results you do not expect, turn off visibility for the add-on.

For more details about add-on visibility and instructions for turning visibility off, see if add-on is intended to be visible or not in Splunk Add-ons

Upgrading from a previous version

If you recently upgraded to the Splunk Add-on for Windows version 6.0.0 and are experiencing data loss, you might have incorrectly upgraded your add-on. See Upgrade to Splunk Add-on for Windows for instructions on upgrading your add-on

Potential data duplication issues

Windows 8, Windows 8.1, Windows Server 2012, Windows 2008R2, and Windows 2012R2 overwrite the WindowsUpdate.Log file after it reaches a certain size, and then truncate the log file from the beginning. The size of the truncation depends on the size of new events. This may cause data duplication.

In Windows 10 And Windows Server 2016, the Get-WindowsUpdateLog command will generate a static WindowsUpdate.log file every time the command runs. This causes re-indexing of the entire file, which may cause data duplication.

Troubleshooting searches

Use the following searches to check that the Splunk Add-on for Windows is properly configured. Run the following search to see the count of events by sourcetype collected by the Splunk Add-on for Windows. If you are not using a custom index, run the following search with index=main.

Search

index=<your custom index name here> | stats count by sourcetype

If the search does not return the expected sourcetypes, check the following:

  • You have enabled the inputs included with the Splunk Add-on for Windows on each forwarder that runs the add-on
  • You have installed the add-on into the indexers or heavy forwarders in your deployment
  • If you have changed the index names in inputs.conf, make sure that the custom indexes are present on all forwarders and indexers

Run the following search to see if Windows Event Log and performance metric data are present in Splunk Enterprise.

eventtype=wineventlog_windows OR eventtype=perfmon_windows

If the search does not return the expected events, check the following: - You have the “windows_admin” role added to your user. See the Configure users and roles section in Upgrade the Splunk Add-on for Windows

If the search does not return expected events, make sure that you chave installed the Splunk Add-on for Windows on all search heads in your Splunk Enterprise deployment

Events missing from Splunk software

If you are noticing dropped events in your Splunk platform, it may be a result of a setting in the Windows Utility Viewer. Follow the steps below to avoid event override

  1. From a Windows desktop, open the Event Viewer desktop application.
  2. From the Event Viewer navigation tree, select Windows Logs.
  3. Right-click the log whose log size needs to be increased and select Properties.
  4. Check to see if Enable logging is selected. If not, select Enable logging.
  5. In the Maximum log size field, specify a size based on your own requirements.
  6. In the When maximum event log size is reached’’‘, selectOverwrite events as needed (oldest events first)`.

Third party field extractions errors

The Splunk Add-on for Windows 5.0.x removes NTSyslog, Snare, MonitorWare, and Enterprise Security 2.0.2 field extractions. See Upgrade the Splunk Add-on for Windows for instructions on how to successfully upgrade the Splunk Add-on for Windows.

Splunk events are sent to main index

The indexes.conf file was removed in the Splunk Add-on for Windows version 5.0.x. See Upgrade the Splunk Add-on for Windows for instructions on how to successfully upgrade the Splunk Add-on for Windows

Error: “The following error occurred: The service has not been started.” for TimeSyncConfiguration or TimeSyncStatus

If you see the following error in your logs for sourcetype=Script:TimesyncConfiguration or sourcetype=Script:TimesyncStatus, enable the Windows Time service

Steps

  1. From the Windows desktop, open the Run app.
  2. Search for the services.msc file
  3. In the services.msc file, select Windows Time
  4. Click on Properties and change the service status to start and change start type to automatic.
  5. Save your changes.

Searches for WinEventLogs are not returning older events

Searching for sourcetype=WinEventLog or sourcetype=XmlWinEventLog does not return already indexed events. See source and sourcetype changes

“File $SplunkHome-powershell.ps1 cannot be loaded because running scripts is disabled on this system”

This issue is caused by an execution policy issue on your Microsoft Windows system. See about Execution Policies for more information on configuring execution policies on your Microsoft Windows deployment

Windows Update log in unknown format for Win 2016 and above version

If you see that Windows Update Logs are in an unknown format for Win 2016 and above, you need to get the output of WindowsUpdate.log in the correct format. You need administrative rights to run the command Get-WindowsUpdateLog which is directly a Microsoft Windows requirement. See https://docs.microsoft.com/en-gb/archive/blogs/charlesa_us/windows-10-windowsupdate-log-and-how-to-view-it-with-powershell-or-tracefmt-exe for more information

To get the output of WindowsUpdate.log in the correct format, do the following steps: #Run the Splunk platform as an admin user

  • Select “search” > “run” > “services.msc”
  • After the services tab opens, select the Splunkd or Splunkd Service then go to “Properties”
  • Select the “Log On” tab. Select the second option, log on as “This account”, browse the account and type the password and confirm password for that account and apply the changes.
  • Stop the Splunkd or Splunkd Service and then start it again