All Apps and Add-ons
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Active Directory not found. How to troubleshoot a problem in Splunk App for Windows Infrastructure?

dfigurello
Communicator
‎10-14-2014 12:16 PM

hi splunkers,

I am installing splunk for Windows app in my windows environment. My server is 2012 R2. I followed the instructions in the docs.splunk.com, but I can't see my active directory data. The primary problem is when i click start in dialog box to detection type of data, my data active directory were not found.

For example:
...
Active Directory: Domains not found.
Detecting Domain Controllers
Active Directory: Domain Controllers not found.
Detecting DNS
Active Directory: DNS not found.
Detecting Users
Active Directory: Users found.
...

I checked addons in my server but I don't found my problem.

Any idea ?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dfigurello
Communicator
‎10-22-2014 09:24 AM

Hi everyone,

The splunk's eventtype was not configured with "index=msad" in the windows application, when I configured index=msad , I could see my health data in application.

Thank you for attention.

Cheers.

View solution in original post

Reply
Solved! Jump to solution
Solution

dfigurello
Communicator
‎10-22-2014 09:24 AM

Hi everyone,

The splunk's eventtype was not configured with "index=msad" in the windows application, when I configured index=msad , I could see my health data in application.

Thank you for attention.

Cheers.

Reply
Solved! Jump to solution

neerajshah81
Path Finder
‎07-18-2018 06:49 PM

Hi can you pls explain how exactly did you do this ?

Reply
Solved! Jump to solution

khaihuynhit
Explorer
‎08-07-2018 02:14 AM

Hi Dfigurello,
Pls, help me to know how to check index=msad.

Thanks Pro,
Khai

Reply
Solved! Jump to solution

malmoore
Splunk Employee
Splunk Employee
‎10-16-2014 04:14 PM

Hi,

The Windows Infrastructure first-time-run page detects on event types. Even if the data is present, the detection will fail if the event types are not present.

Can you perform the following search and see what data comes back?

eventtype=msad-dc-health
Reply
Solved! Jump to solution

dfigurello
Communicator
‎10-18-2014 09:04 AM

When I ran a searh:
index=* source=Powershell sourcetype="MSAD:NT6:Health", I saw 6,220 events.

Any idea?

0 Karma
Reply
Solved! Jump to solution

dfigurello
Communicator
‎11-13-2014 05:43 AM

Hi Dungpv,

have you enable audit policies in AD environment ?
Try run the follow search:
index=* source=WinEventLog:Security
What's the result?
Cheers!

0 Karma
Reply
Solved! Jump to solution

damode
Motivator
‎10-18-2017 01:31 AM

Hi dfigurello ,

I am facing the same issue and ran the search you mentioned above, however, havent got any data. Please suggest workaround

0 Karma
Reply
Solved! Jump to solution

dungpv
Explorer
‎11-12-2014 08:50 PM

Hi dfigurello,

I have same an error. I can detect some data active directory as:

Active Directory: Domains found.
Detecting Domain Controllers
Active Directory: Domain Controllers found.
Detecting DNS
Active Directory: DNS found.

But I can't dectect data from User, Computer, Active Directory. Could you please give me the intruction to detect user,computer, AD?
Many thanks.

Reply
Solved! Jump to solution

dfigurello
Communicator
‎10-18-2014 08:28 AM

No results found.
What can be ?

Any idea?

Cheers!

0 Karma
Reply
Solved! Jump to solution

ChrisG
Splunk Employee
Splunk Employee
‎10-14-2014 03:19 PM

Do you have SA-ldapsearch on your search heads, and the msad, winevents, and perfmon indexes on your indexers?

0 Karma
Reply
Solved! Jump to solution

dfigurello
Communicator
‎10-15-2014 07:50 AM

Hi ChrisG,

Yes I have SA-ldapsearch in my Splunk. In this case, I am working with 01 server.
When I run a search i have the following sourcestypes and sources:

index=msad
source=ActiveDirectory

source=PowerShell

Sourcetype=ActiveDirectory
sourcetype=MSAD:NT6:Replication
sourcetype=Powershell:ScriptExecutionSummary
sourcetype=MSAD:NT6:DNS-Zone-information
sourcetype=MSAD:NT6:Health
sourcetype=MSAD:NT6:SiteInfo
sourcetype=MSAD:NT6:DNS-Health
sourcetype=Powershell:ScriptExecutionErrorRecord

index=winevents
source=WinEventLog:Directory Service
source=WinEventLog:DNS Server

sourcetype=WinEventLog:Directory Service
sourcetype=WinEventLog:DNS Server

index=perfmon
source=Perfmon:Processor
source=Perfmon:NTDS
source=Perfmon:DNS
source=Perfmon:Network_interface

sourcetype=Perfmon:Processor
sourcetype=Perfmon:NTDS
sourcetype=Perfmon:DNS
sourcetype=Perfmon:Network_interface

cheers!

Reply
Solved! Jump to solution

dfigurello
Communicator
‎10-14-2014 12:56 PM

Splunk App for Windows Infrastructure
Version 1.0.4

Add-on in my server:
SA-ModularInput-PowerShell
Splunk_TA_windows
TA-DNSServer-NT6
TA-DomainController-2012R2

Tks!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL  The Splunk AI Assistant for SPL ...

Buttercup Games: Further Dashboarding Techniques (Part 5)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Customers Increasingly Choose Splunk for Observability

For the second year in a row, Splunk was recognized as a Leader in the 2024 Gartner® Magic Quadrant™ for ...
Top