All Apps and Add-ons

No hosts, no data returned from Windows Infra app

eholz1
Contributor

Hello, I have seen similar posts to this, but none of the answers helped.
I have splunk 7.3.1 running on W2K12 with the Windows Infrasture app and the splunk supporting add-on for active directory.

I can connect to the domain app using an administrator level account.
I can step thru the guided setup for Windows Infra app - all the pre-reqs are checked as "OK",
the check for data shows 15 or more events, and two warnings - one for WinPrintMon (we do not do any printing from the windows servers in our domain), and the sourcetype="Winregistry" shows no events either.

From the Splunk Add-on for Microsoft Windows Active Directory:
All searches have completed
OK: 5 or more events detected in the last 24 hours
WARNING: Search "sourcetype="ActiveDirectory*" | head 5" did not return any events in the last 24 hours

Clicking "Next" take me to Customization - for Windows I have: Event monitoring, Perf monitoring, host monitoring checked.
for Active Directory I have Domain Controllers checked (we have two, PDC and backup), Users, Computers,Group Policy and OUs checked.

When I click "Detect" I get "found" for most of the Windows settings, but nothing is "found" for the Active Directory selections

The configuration shows as "saved" but I get no data in the AD Overview, and only 1 out of 16 hosts in the Windows Overview.

Where did I go wrong? What might I be missing?

Thanks,
eholz

0 Karma

Ibbers
Explorer

not sure if you fixed it in the end mate, but looks like your inputs.conf aren't pushing the right events data through.  Check that you have the right prerequisite components installed on your DC too. And whilst you're in inputs.conf, check each sourcetype is going to the right index.

0 Karma

eholz1
Contributor

What file or files do I need to get this to work? So far have not found the answer

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...