All Apps and Add-ons

Configure Splunk for Active Directory

New Member

I am attempting to follow the online documentation/PDF for configuring my AD forwarder, but am having some trouble.

When customizing the index names in the .conf files, where in my Splunk install can I find these? Does anyone know the default index names that would have been used?

I installed the Splunk portion on my Kubuntu linux receiver a couple of weeks ago, and now am trying to configure the DC in my new DEV AD environment for Windows testing.

Thank you for any replies/help in advance

0 Karma

New Member

hi all, i have configured splunk app for active directory. i am getting row data from active directory.

But when i am going through splunk app for AD there i can not see any kind of log, event, or data.


my configuration...

  1. Universal forwarder is installed in Active directory. with the correct port number 9997. As well as WMI is also correctly configured.

  2. Splunk 5 (receiver) is installed in one machine. and active directory app is also installed in same splunk instance.

  3. user have full access.

  4. but still i am not getting data.


please help me to solve this.

0 Karma

Splunk Employee
Splunk Employee

Are you just trying to assign the right index for the inputs.conf on the forwarder? The indexes in the app are msad, perfmon, and winevents and you'll find them defined on your splunk server in Splunk_for_ActiveDirectory/default/indexes.conf. If you need to create your own indexes you'll have some work to do but you can define those through the UI as well.

From the readme.txt file.

Configuring Indices

By default, the Splunk_TA_windows logs events into the main index. The TAs for Splunk App for
Active Directory log events into one of three indices:

* perfmon       = All performance data
* winevents     = All Windows Event Log data
* msad          = Everything else

If you decide on a different indexing scheme, you will need to create the indices, adjust the
inputs.conf on the TAs before deployment. In addition, you will need to adjust eventtypes.conf
and macros.conf for the new index locations.

0 Karma

Splunk Employee
Splunk Employee

That typo has since been fixed.

0 Karma

New Member

does anyone know where this went to?

  1. Download (http://splunk-base.splunk.com/apps/Splunk+support+for+active+directory) the new SA-ldapsearch supporting add-on and unpack it to an accessible location.

Important: The SA-ldapsearch supporting add-on replaces the Perl LDAP commands that come with the Splunk App for Active Directory.

0 Karma

New Member

I'm trying to configure the admon.conf, perfmon.conf and inputs.conf as shown in
http://docs.splunk.com/Documentation/ActiveDirectory/latest/DeployAD/Configureanddeploythetechnicala...

0 Karma