All Apps and Add-ons

Splunk App for Windows Infrastructure: Why is the pre-built Active Directory new group search not working?

Path Finder

I've got everything installed and configured for the Splunk App for Windows Infrastructure. Most of the pre-built searches work fine, but the Active Directory -> Groups -> Security Group Reports -> Security Groups: New isn't returning any results even though I've made new groups recently and am running the search for the past 7 days.

Security Groups: All, Nested, etc. all seem to work fine.

0 Karma
1 Solution

Path Finder

Doh! UF wasn't installed on all DCs. Confirmed events are coming from DCs with the UF installed.

View solution in original post

0 Karma

Path Finder

Doh! UF wasn't installed on all DCs. Confirmed events are coming from DCs with the UF installed.

View solution in original post

0 Karma

Esteemed Legend

Did you deploy this app to the Active Directory servers and turn on the msad inputs by setting disabled=false inside of inputs.conf? Did you restart the splunk instances on those forwarders after deploying inputs.conf?

0 Karma

Path Finder

Yes, everything else seems to be working. I get results from other searches... Active Directory -> Groups -> Security Group Reports -> Security Groups: Empty returns results, as does All. The 'New' search is the only one that doesn't seem to be working.

0 Karma