- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi splunkers,
I am installing splunk for Windows app in my windows environment. My server is 2012 R2. I followed the instructions in the docs.splunk.com, but I can't see my active directory data. The primary problem is when i click start in dialog box to detection type of data, my data active directory were not found.
For example:
...
Active Directory: Domains not found.
Detecting Domain Controllers
Active Directory: Domain Controllers not found.
Detecting DNS
Active Directory: DNS not found.
Detecting Users
Active Directory: Users found.
...
I checked addons in my server but I don't found my problem.
Any idea ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi everyone,
The splunk's eventtype was not configured with "index=msad" in the windows application, when I configured index=msad , I could see my health data in application.
Thank you for attention.
Cheers.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi everyone,
The splunk's eventtype was not configured with "index=msad" in the windows application, when I configured index=msad , I could see my health data in application.
Thank you for attention.
Cheers.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

Hi can you pls explain how exactly did you do this ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

Hi Dfigurello,
Pls, help me to know how to check index=msad.
Thanks Pro,
Khai
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

Hi,
The Windows Infrastructure first-time-run page detects on event types. Even if the data is present, the detection will fail if the event types are not present.
Can you perform the following search and see what data comes back?
eventtype=msad-dc-health
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When I ran a searh:
index=* source=Powershell sourcetype="MSAD:NT6:Health", I saw 6,220 events.
Any idea?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Dungpv,
have you enable audit policies in AD environment ?
Try run the follow search:
index=* source=WinEventLog:Security
What's the result?
Cheers!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi dfigurello ,
I am facing the same issue and ran the search you mentioned above, however, havent got any data. Please suggest workaround
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi dfigurello,
I have same an error. I can detect some data active directory as:
Active Directory: Domains found.
Detecting Domain Controllers
Active Directory: Domain Controllers found.
Detecting DNS
Active Directory: DNS found.
But I can't dectect data from User, Computer, Active Directory. Could you please give me the intruction to detect user,computer, AD?
Many thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No results found.
What can be ?
Any idea?
Cheers!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content


Do you have SA-ldapsearch on your search heads, and the msad
, winevents
, and perfmon
indexes on your indexers?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi ChrisG,
Yes I have SA-ldapsearch in my Splunk. In this case, I am working with 01 server.
When I run a search i have the following sourcestypes and sources:
index=msad
source=ActiveDirectory
source=PowerShell
Sourcetype=ActiveDirectory
sourcetype=MSAD:NT6:Replication
sourcetype=Powershell:ScriptExecutionSummary
sourcetype=MSAD:NT6:DNS-Zone-information
sourcetype=MSAD:NT6:Health
sourcetype=MSAD:NT6:SiteInfo
sourcetype=MSAD:NT6:DNS-Health
sourcetype=Powershell:ScriptExecutionErrorRecord
index=winevents
source=WinEventLog:Directory Service
source=WinEventLog:DNS Server
sourcetype=WinEventLog:Directory Service
sourcetype=WinEventLog:DNS Server
index=perfmon
source=Perfmon:Processor
source=Perfmon:NTDS
source=Perfmon:DNS
source=Perfmon:Network_interface
sourcetype=Perfmon:Processor
sourcetype=Perfmon:NTDS
sourcetype=Perfmon:DNS
sourcetype=Perfmon:Network_interface
cheers!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk App for Windows Infrastructure
Version 1.0.4
Add-on in my server:
SA-ModularInput-PowerShell
Splunk_TA_windows
TA-DNSServer-NT6
TA-DomainController-2012R2
Tks!
