Hi, banging my head against a wall with this, some background, Basically i have had to recreate a new indexer search head which is standalone to the version 8, i have managed to import the old data in after some head scratching.
I want to use the splunk app for windows infrastructure but when going through the guided setup i get this
All prereqs were passed
I have followed the guide and deployed the Splunk_TA_Windows app to one of my DC's
On further investigation and after restarting the splunk services i noticed all the indexes it is trying to search in the guided setup dont exist. Im obviously out of my depth with this and am going around in circles have what have i missed?
Any help appreciated because im stumped. Regards M
I am ingesting data from all my domain controllers, it was setup to get logons and logoffs and all group changes, i can see the data.
I created the index MSAD but unfortunately no dice. I also copied the inputs.conf file into the local directory on the DC that i have the app deployed to.
Can you determine if data for those sourcetypes exist? Maybe run a search for each of those sourcetypes across the past 24 hours to make sure you are even ingesting that data. If so, determine which index the data is going to and see if that index aligns with the index the app is searching. You may need to change which index the app is searching or send the data to the index the app is searching. I remember when I set up the add-ons and apps for Windows all of the recommendations for sourcetypes and indexes were covered in the docs.
I know you said the indexes aren't present and you rebuilt the indexer, maybe the data is going to an index that no longer exists on the indexer. Bottom line, I would determine if you are even getting the data into an index and go from there. Hope this provides some help.
So I went back and re read that link and noticed i hadnt changed the mode to single. I did that and now at least most of them seem to be coming through, the sourcetypes are there now. the MSAD one is the one i created the index for which i am now about to delete.