Hello, I have seen similar posts to this, but none of the answers helped.
I have splunk 7.3.1 running on W2K12 with the Windows Infrasture app and the splunk supporting add-on for active directory.
I can connect to the domain app using an administrator level account.
I can step thru the guided setup for Windows Infra app - all the pre-reqs are checked as "OK",
the check for data shows 15 or more events, and two warnings - one for WinPrintMon (we do not do any printing from the windows servers in our domain), and the sourcetype="Winregistry" shows no events either.
From the Splunk Add-on for Microsoft Windows Active Directory:
All searches have completed
OK: 5 or more events detected in the last 24 hours
WARNING: Search "sourcetype="ActiveDirectory*" | head 5" did not return any events in the last 24 hours
Clicking "Next" take me to Customization - for Windows I have: Event monitoring, Perf monitoring, host monitoring checked.
for Active Directory I have Domain Controllers checked (we have two, PDC and backup), Users, Computers,Group Policy and OUs checked.
When I click "Detect" I get "found" for most of the Windows settings, but nothing is "found" for the Active Directory selections
The configuration shows as "saved" but I get no data in the AD Overview, and only 1 out of 16 hosts in the Windows Overview.