All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk App Windows Infrastructure upgrade - No "sourcetype="MSAD*" found

linusHillyard
Explorer
‎12-18-2014 06:18 PM

I've recently upgraded to Splunk App for Windows Infrastructure 1.1.1 from version 1.0.4. Previously I had no issues with Active Directory data detection or Splunk App for Active Directory(SA-ldapsearch) version 2.0.1 and can still successfully search for queries like '|ldapsearch domain=DOMAIN search="(cn=Administrator)"'). Since the upgrade, when I run through the first-time setup wizard I get the error, "ERROR: Search "sourcetype="MSAD*" | head 5" did not return any events in the last 24 hours" when checking for data being provided by the environment.

I'm then provided with a link named, "Splunk Add-on for Microsoft Windows Active Directory for Splunk Universal Forwarder" however the link takes me to setup instruction for the Windows Infrastructure App. Since I'm still able to perform ldapsearch queries from the search app I'd assume the Splunk App for Active Directory is working correctly.

Also, when viewing the upgrade instruction(http://docs.splunk.com/Documentation/MSApp/1.1.1/MSInfra/UpgradetheSplunkAppforWindowsInfrastructure) you're instructed to download 'Splunk Supporting Add-on for Active Directory version 2.0.2 or later' however version 2.0.1 is the latest version I can currently find for download.

I'd appreciate any insight as I've hit a wall and cannot proceed with the upgraded version of the Windows Infrastructure app.

Reply
1 Solution
Solved! Jump to solution
Solution

malmoore
Splunk Employee
Splunk Employee
‎12-18-2014 10:44 PM

Hi,

Have you made sure that the user that you log into Splunk Enterprise with has the 'winfra-admin' role? That role lets you search the proper default indexes that come with the app.

The Splunk Supporting Add-on for Active Directory is currently at version 2.0.1. The reference to 2.0.2 has been corrected. Apologies for any confusion.

View solution in original post

Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...