All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Configuração Splunk App for Windows Infraestructure - Dados para Dominio não são encontrados

unimedcba
Engager
‎09-04-2019 05:11 AM

alt text

Foi realizado a instalação do Splunk Infraestructure, com os pré-requisitos todos validados e realizado os deploy para os servidores de active Directory
alt text
Porém ao realizar a detecção dos recursos os controladores de Dominios não são encontrados. Não consegui achar um post no forum para resolver esta situação.

Preview file
1 KB
Preview file
1 KB
0 Karma
Reply

unimedcba
Engager
‎09-04-2019 11:11 AM

hi, undestand, the problem is the data of Active Directory - Domain Control not show, same the indicators config show sucess, according image in top post. But search in index=msda, data are showingalt text

Preview file
1 KB
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-04-2019 06:10 AM

Hi unimedcba,
could you re edit your question in english?
Anyway, I'm latin (Italian) so your language isn't so different from mine!
If I correctly understood, you installed AD TAs but you don't see data.
Run this search: index=msad
if you have results, it means that data are arriving but your searches doesn't see them probably because they are out od the default search path.
In this case, you can add msad index to the default search path or modify the search that creates lookups inserting also the condition index=msad.
If you don't see data, you have to troubleshoot your architecture.

Bye.
Giuseppe

Reply

gcusello
SplunkTrust
SplunkTrust
‎09-05-2019 12:10 AM

As I said, you already are receiving data on you indexers, so the problem is in the scheduled searches to populate lookups because the msad index is out of default search path and in the macros and eventtype usually there isn't the filer on index (index=msad).
You have to ways:

  • modify default search path
  • modify macros and eventtypes in App

The first solution is easier:

  • search in your App the search to populate lookup ([Settings -- Searches, Reports and Alerts],
  • see the owner of the scheduled searches (probably Admin),
  • go in [Settings -- Access Control -- Users] and see the roles of the App Owner (probably Admin),
  • go in [Settings -- Access Control -- Roles -- Indexes] and add msad index to modify the Role you found (probably Admin) inserting a flag on"Included" and "Default",
  • then rebuild lookups.

in this way your lookups should be populated with your data.

Bye.
Giuseppe

P.S.: to answer to my comment, add a new comment to this answer, don't insert a new anwser.

0 Karma
Reply

unimedcba
Engager
‎09-05-2019 01:47 PM

Thanks for you

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-06-2019 12:01 AM

Hi unimedcba,
if you're satisfied of this answer, please accept and/or upvote it.
Bye, see next time.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...