Solved: Splunk App for Windows Infrastructure: Why does se...

tckoaypg · ‎04-05-2015

My Splunk Ent V 6.2.2 running in Linux installed with Windows Add-on 4.75, Splunk App for Windows Infrastructure 1.12, Splunk Supporting Add-on for Active Directory 2.01.

My AD running in Win 2008 with Universal Forwarder installed, Splunk TA For Windows, Splunk PowerShell module installed.

However, I still getting "MSAD did not return any event during the Windows Infra Setup Page, check data section."

Data from Splunk Add-on for Microsoft Windows Active Directory
Critical data could not be found
OK: 15 or more events detected in the last 24 hours
ERROR: Search "sourcetype="MSAD*" | head 5" did not return any events in the last 24 hours

When I search index=* source="activedirectory", it does display AD events which show that the AD settings is correct. How do I troubleshoot with this issue?

tckoaypg · ‎04-05-2015

Problem resolved by Install TA for DomainController to Windows Server that you need to monitor. I extract the TA for DomainController from Splunk app for microsoft exchange.

View solution in original post

tckoaypg · ‎04-05-2015

Problem resolved by Install TA for DomainController to Windows Server that you need to monitor. I extract the TA for DomainController from Splunk app for microsoft exchange.

Splunk App for Windows Infrastructure: Why does search sourcetype=MSAD return no events?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation