I will first admit I'm a splunk newbie, we are in the "sizing" stage, have not purchased yet, but pretty sure we will. Anyways, I'm trying to get this windows infrastructure app working. I have splunk v6.1 installed, I have the correct GPOs on the DCs.
Now when you come to help, start off easy :), remember I'm a newbie 🙂
Make sure you have a Splunk Universal Forwarder with Splunk_TA_Windows installed on it configured to send windows event logs.
Go to the Windows Infrastructure App, then go to Settings and Event Types.
You should see something that looks like this screen shot.
You'll want to try these searches and see where you have data, for example you can search this:
search index=* eventtype=msad-nt5-successful-user-logons OR eventtype=msad-nt6-successful-user-logons
Check to see where you have data by searching for these event types, for example start with:
search index=* eventtype=wineventlog-security
Do you see EventCode as an interesting field?
If not then you don't have the right permissions set on the knowledge objects for this app.
Look for the eventtype=wineventlog-security definition and make sure that it matches your environment.
Save it and try these eventtypes searches again.
I'm seeing the same issue. I believe it is because if you look at the default config files in both the App and the Windows TA add-ons, the indexes are NOT the same. The Win Infra App looks for windows event logs in an index named "winevents" while the TA-Add-On saves event logs to index "wineventlog". I'm not sure how the Infra App config file could possibly work since it doesn't even look in the same locations". I'm working on trying to fix all of those mis-matches myself.
Did you start with the documentation? It includes a New to Splunk? topic as well as detailed installation and configuration instructions and troubleshooting information.
Did you configure event types and build the lookup tables?
Sorry, so I've installed the App on indexer and forwarders on my DCs, when i go to do the detect in the app it just says "not found" for all of the detects, things like domain, DCs, group policy etc...there's 12 things it detects for and none of them are found.