Hello, i spent some time configuring my active directoy app, but no results are coming up from the dashboard. every graph say : "no results found"
If i remove 'host!="*" ' from a search (let say : the security->logon failed search) : I DO get a result. Same thing happens on some other search.
Log are coming in correctly : logs are coming from a forwarder with TA_addon going to "winevents" index (i changed the inputs.conf). On the indexer : TA_addon is installed but not configured, sa_ldapsearch is installed and configured, Activedirectory app is installed and searching in winevents index (i changed the eventypes.conf).
Version used of TA_ADDON is 4.6, Activedirectory : 1.1.3
Should i modify the app to remove host!="*" in every search?? Any idea what i'm doing wrong?
Thanks
Make sure you have the right TA (NT5 > win2003,NT6 win2008) in the domain controller's splunk forwarder :
TA-DNSServer-NT5
TA-DNSServer-NT6
TA-DomainController-NT5
TA-DomainController-NT6
You can find them in splunk\etc\apps\Splunk_for_ActiveDirectory\appserver\addons
In dashboard : Security->user logon failures : the graphs are empty : "no results found. inspect...", if i click on inspect, the search contains this host!="". If i copy/paste this search WITHOUT the host!="", i'm getting a result
But i guess the trouble is elsewhere : the upper part of the dashboard is empty (in Forest, domain,..).
Part of the answer is that my forwarder on my domain controller only contains the TA_windows app
I forgot to add the apps TA-DNSServer-NT6 and TA-DomainController-NT6 on the domain controller
(you get them in active_directory/appserver/addons on your indexer)
Make sure you have the right TA (NT5 > win2003,NT6 win2008) in the domain controller's splunk forwarder :
TA-DNSServer-NT5
TA-DNSServer-NT6
TA-DomainController-NT5
TA-DomainController-NT6
You can find them in splunk\etc\apps\Splunk_for_ActiveDirectory\appserver\addons
Copied the app on the domain controller' forwarder, restarted the service, and boom : graphs are OK, domain and site appear at the top of active directory app... Great thanks
where do you have this host!="*" because i cannot find it in any of the app's conf file?