Unfortunately this add-on does not work. The error message I see in one of the log files from the UF says

07-14-2020 20:51:22.527 WARN btool-support - Bad regex value: 'Id\s+:\s+(?.*)\s+Message', of param: props.conf / [WinDNS:Analytical] / EXTRACT-win-dns-analytical-event_id; why: unrecognized character after (? or (?-

I tried to modify the regex in question to following
EXTRACT-win-dns-analytical-event_id = Id\s+:\s+?(.*)\s+Message

This stops the warning but I still do not see the logs in Splunk (index is empty with no events). When I run the script manually it executes just fine. I also tried to pass the flag -SplunkdLogging to see if there were any meaningful logs getting emitted from the manual script execution but it was not helpful.

The following is what I see in the splunkd log file but nothing regarding any script execution afterwards -

07-14-2020 23:40:20.774 +0000 INFO ExecProcessor - interval: 60000 ms
07-14-2020 23:40:20.775 +0000 INFO ExecProcessor - New scheduled exec process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command "& 'C:\Program Files\SplunkUniversalForwarder\etc\apps\TA-WinDNSAnalytical\bin\get_dns_analytics.ps1' -SplunkdLogging"
07-14-2020 23:40:20.775 +0000 INFO ExecProcessor - interval: 60000 ms
07-14-2020 23:40:20.775 +0000 INFO ExecProcessor - New scheduled exec process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command "& 'C:\Program Files\SplunkUniversalForwarder\etc\apps\TA-WinDNSAnalytical\bin\init_dns_analytics.ps1'"
07-14-2020 23:40:20.775 +0000 INFO ExecProcessor - interval: run once

Any help would be appreciated.

I have installed the (TA) add-on on the Domain Controller, where we have the DNS Analytical logs enabled, through Splunk UF using the deployment server, with a minor change in index name in inputs.conf and indexes.conf to use an existing index , instead of creating a new index dns.

But I am only seeing the following events coming into Splunk from that source. Do we need to do anything

INFO [:3240] Script exceeded maximum runtime of . Terminating PID 3240

Please see the image below (scrubbed host information) -

Thanks

Hi hkelley,

Thanks for your work on the app. I have installed the app on splunk forwarder and search head side. When I restart the forwarder services, I am getting following powershell related errors.

Get-WinEvent : No events were found that match the specified selection
criteria.
At C:\Program Files\SplunkUniversalForwarder\etc\apps\TA-WindowsDNSAnalytical\b
in\get_dns_analytics.ps1:1 char:1

• Get-WinEvent -Oldest -LogName "Microsoft-Windows-DNSServer/Analytical ...

•   + CategoryInfo          : ObjectNotFound: (:) [Get-WinEvent], Exception
    + FullyQualifiedErrorId : NoMatchingEventsFound,Microsoft.PowerShell.Comma 
   nds.GetWinEventCommand
  
  

I am also getting same error when I run the script manually. Have you faced such kind of issue or am I missing any configurations?

Regards,
Vijay