All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

App for Windows Infrastructure can't track AD Users or Groups - what am I missing?

keinsignal
Engager
‎06-09-2014 02:17 PM

I'm guessing somewhere along the way I skipped an important step, but I'm hoping somebody can give me some way to troubleshoot this issue without having to start over from scratch... I'm working with a very simple setup here, with a single Splunk server, and a universal forwarder (plus the relevant apps) installed on one of our two local domain controllers (2008 R2).

I've tested LDAP searches, that seems to be working. Security logging on the DC is auditing everything except "process tracking". Data is clearly flowing into Splunk, but the app claims that data for "Users", "Groups", and "Computers" is not found when I run the auto-setup.

(Weird and probably irrelevant aside: "Computers" did actually show up during one attempt, but never since. I did not make any change I can think of that would have caused this, was literally just hitting the "Detect" button over and over again thinking maybe the issue was that maybe not enough log data had been imported yet).

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jbernt_splunk
Splunk Employee
Splunk Employee
‎06-09-2014 03:11 PM

The searches for auto-detection in our First Time Run experience are only within the last 15 minutes, which would explain why you saw a computer event. If you explicitly check those items, you should see them show up in the pages associated with those items.

View solution in original post

Reply
Solved! Jump to solution
Solution

jbernt_splunk
Splunk Employee
Splunk Employee
‎06-09-2014 03:11 PM

The searches for auto-detection in our First Time Run experience are only within the last 15 minutes, which would explain why you saw a computer event. If you explicitly check those items, you should see them show up in the pages associated with those items.

Reply
Solved! Jump to solution

jbernt_splunk
Splunk Employee
Splunk Employee
‎06-10-2014 02:22 PM

Glad I could answer it. 🙂
Give it a try, check those boxes, and look at some of the user/computer/etc. related items under Active Directory in the navigation menu. You should start seeing your data show up given an appropriate time frame.

Reply
Solved! Jump to solution

Ibbers
Explorer
‎12-02-2020 10:28 PM

Oh, so the timeframe for the initial check is the last 15min?

And the solution to the "not found" warning is to check the boxes anyway, save, and then wait for the Win Infra dashboards to present the data?

0 Karma
Reply
Solved! Jump to solution

keinsignal
Engager
‎06-10-2014 12:32 PM

Well now I feel a bit silly for not trying that. Thanks!

Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...