All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk App for Windows Infrastructure

khanlarloo
Explorer
‎07-09-2018 12:36 AM

hi
i install this app,it shows my active directory logs.i have two ad :
1 : adp1.lab1.com
2 : adp2.lab1.com

i want this app shows my 2 ad logs but it shows just one ad logs, i configure the second dc as my first. but the app shows just one dc logs.i rebuild the app after configuring my second dc.
but it shows just the first dc logs.
what should i do to receive the second one logs in my app?

0 Karma
Reply

woodcock
Esteemed Legend
‎07-09-2018 09:30 AM

This is why it is a best practice to use a configuration management tool like Git/Puppet/Chef or Splunk's Deployment Server. Which one of these are you using?

0 Karma
Reply

khanlarloo
Explorer
‎07-10-2018 04:01 AM

non of them

0 Karma
Reply

kmorris_splunk
Splunk Employee
Splunk Employee
‎07-09-2018 06:37 AM

If you are configuring the Universal Forwarder on both DCs the same way, you may want to verify that there are no firewalls blocking traffic from the DC that you don't see data for. Also, in many cases, when users don't see data, it is useful to check the Data Summary. When you go into the Search and Reporting app, you will see the Data Summary button in the center of the screen. This will show you 3 tabs. Host, Source, and Sourcetype. You can check the host initially to see if the DCs hostname shows up. Sometimes you are getting the data, but just not finding it do to the search you may be using. Verify that you are setting the appropriate sourcetype as well.

0 Karma
Reply

khanlarloo
Explorer
‎07-10-2018 04:01 AM

The second dc sends logs to splunk, i see the logs in data summary. but in the app i can't search.

0 Karma
Reply

kmorris_splunk
Splunk Employee
Splunk Employee
‎07-10-2018 04:41 AM

In that case, I would verify that the data is being sent to the appropriate index and sourcetype per the documentation for the Splunk App for Windows Infrastructure. Are the logs from the second DC being sent to a different index and/or sourcetype than the first DC that you see in the app?

0 Karma
Reply

khanlarloo
Explorer
‎07-10-2018 04:50 AM

no both of them send their logs to the same sourcetype and index

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...