All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Add-on for Microsoft Windows Active Directory: Why does my search "sourcetype="ActiveDirectory*" | head 5" not return any events?

wilhelmF
Path Finder
‎04-28-2017 04:27 AM

Hi,

we are having trouble receiving events from sourcetype="ActiveDirectory*". We did everything what was explained in the documentation:
- amend GPO Group Policies
- amend PowerShell Settings for local and remote singed script execution
- install Splunk Add-on for Microsoft Powershell
- install Splunk Add-on for Microsoft Windows Active Directory

we are receiving most data from active directory but sourcetype="ActiveDirectory*" is missing. Splunk Add-on for Microsoft Powershell seems to work properly. Group Policies are set right. The other checks on msad index went well. We can see events arriving in msad. (Please have a look at below screenshot from the guided setup in the Splunk App for Windows Infrastructure.) Any ideas?

alt text

Preview file
1 KB
0 Karma
Reply

wilhelmF
Path Finder
‎05-02-2017 02:21 AM

Thank you for your answer:

  1. I added the necessarcy Indexes to my role. Also I should be allowed to read all Indexes. I tried adding index=* before my search. Still no success.
  2. I don't use custom Indexes.
  3. I see some Events for sourcetype="WinEventLog:Directory-Service" but to few. My question here is: If the sourcetype for Active Directory should be sourcetype="WinEventLog:Directory-Service" why then the Windows Infrastructure App is searching for sourcetype="ActiveDirectory*"

Thanks

0 Karma
Reply

3no
Communicator
‎04-28-2017 05:42 AM

Can you check this points ?

1 - Are you sending your logs to the main index ? Check your role maybe you don't have access by default to this index.
You can also try adding index=* or index=[your_index_name] before you search.

2- If you are using a custom index make sure it's well defined on you indexers and that you can access it.

3 - Also I'm pretty sure that by default the sourcetype for Active Directory should be something like sourcetype="WinEventLog:Directory Service"

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...