i install this app,it shows my active directory logs.i have two ad :
1 : adp1.lab1.com
2 : adp2.lab1.com
i want this app shows my 2 ad logs but it shows just one ad logs, i configure the second dc as my first. but the app shows just one dc logs.i rebuild the app after configuring my second dc.
but it shows just the first dc logs.
what should i do to receive the second one logs in my app?
If you are configuring the Universal Forwarder on both DCs the same way, you may want to verify that there are no firewalls blocking traffic from the DC that you don't see data for. Also, in many cases, when users don't see data, it is useful to check the Data Summary. When you go into the Search and Reporting app, you will see the Data Summary button in the center of the screen. This will show you 3 tabs. Host, Source, and Sourcetype. You can check the host initially to see if the DCs hostname shows up. Sometimes you are getting the data, but just not finding it do to the search you may be using. Verify that you are setting the appropriate sourcetype as well.
In that case, I would verify that the data is being sent to the appropriate index and sourcetype per the documentation for the Splunk App for Windows Infrastructure. Are the logs from the second DC being sent to a different index and/or sourcetype than the first DC that you see in the app?
This is why it is a best practice to use a configuration management tool like Git/Puppet/Chef or Splunk's Deployment Server. Which one of these are you using?