Solved: Re: Splunk App Windows Infrastructure upgrade - No... - Page 3

linusHillyard · ‎12-18-2014

I've recently upgraded to Splunk App for Windows Infrastructure 1.1.1 from version 1.0.4. Previously I had no issues with Active Directory data detection or Splunk App for Active Directory(SA-ldapsearch) version 2.0.1 and can still successfully search for queries like '|ldapsearch domain=DOMAIN search="(cn=Administrator)"'). Since the upgrade, when I run through the first-time setup wizard I get the error, "ERROR: Search "sourcetype="MSAD*" | head 5" did not return any events in the last 24 hours" when checking for data being provided by the environment.

I'm then provided with a link named, "Splunk Add-on for Microsoft Windows Active Directory for Splunk Universal Forwarder" however the link takes me to setup instruction for the Windows Infrastructure App. Since I'm still able to perform ldapsearch queries from the search app I'd assume the Splunk App for Active Directory is working correctly.

Also, when viewing the upgrade instruction(http://docs.splunk.com/Documentation/MSApp/1.1.1/MSInfra/UpgradetheSplunkAppforWindowsInfrastructure) you're instructed to download 'Splunk Supporting Add-on for Active Directory version 2.0.2 or later' however version 2.0.1 is the latest version I can currently find for download.

I'd appreciate any insight as I've hit a wall and cannot proceed with the upgraded version of the Windows Infrastructure app.

malmoore · ‎12-18-2014

Hi,

Have you made sure that the user that you log into Splunk Enterprise with has the 'winfra-admin' role? That role lets you search the proper default indexes that come with the app.

The Splunk Supporting Add-on for Active Directory is currently at version 2.0.1. The reference to 2.0.2 has been corrected. Apologies for any confusion.

View solution in original post

malmoore · ‎12-11-2015

Test comment

malmoore · ‎12-09-2015

Test comment

malmoore · ‎12-09-2015

Unsure why my comment didn't post. You need to copy the apps to '$SPLUNK_HOME/etc/deployment_apps' on the deployment server and then restart Splunk Enterprise. The apps should then appear.

malmoore · ‎12-09-2015

You need to put the apps in the $SPLUNK_HOME/etc/deployment_apps directory on your deployment server. Then, restart Splunk Enterprise and log in to that instance and you should see the apps listed there.

malmoore · ‎12-09-2015

Those instructions in the app docs would be found here.

dolejh76 · ‎12-09-2015

Just looked at this - unless I am blind these are good except for step 2. Since he is using a linux splunk server you need to push them to the path I specified above.

malmoore · ‎12-19-2014

Right, it's the data check that is failing.

Events with source type MSAD go into the 'msad' index by default.

Make sure that the 'winfra-admin' role searches the 'msad', 'perfmon', and 'winevents' roles by default.

In the Splunk system bar, select "Settings" > "Access controls." From there , click "Roles", then click "winfra-admin." Once you get to that page, scroll down to "Indexes searched by default." The three indexes I mentioned above should be in the "Selected Indexes" pane.

linusHillyard · ‎12-21-2014

This is exactly what I needed, thanks for the suggestion.

Splunk App Windows Infrastructure upgrade - No "sourcetype="MSAD*" found

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!