I've got everything installed and configured for the Splunk App for Windows Infrastructure. Most of the pre-built searches work fine, but the Active Directory -> Groups -> Security Group Reports -> Security Groups: New isn't returning any results even though I've made new groups recently and am running the search for the past 7 days.
Security Groups: All, Nested, etc. all seem to work fine.
Did you deploy this app to the Active Directory servers and turn on the
msad inputs by setting
disabled=false inside of
inputs.conf? Did you restart the splunk instances on those forwarders after deploying
Yes, everything else seems to be working. I get results from other searches... Active Directory -> Groups -> Security Group Reports -> Security Groups: Empty returns results, as does All. The 'New' search is the only one that doesn't seem to be working.
Doh! UF wasn't installed on all DCs. Confirmed events are coming from DCs with the UF installed.