All Apps and Add-ons

Splunk for Active Directory - No incoming data from powershell source



I'm using Splunk app for Active Directory, i've installed and configured it to make it run.
I receive data regarding the CPU/RAM monitoring, general info, etc ... in the 3 index msad, perform & winevents.

Unfortunately, i don't receive any information regarding the DC status/helth.
I see it's due to the search "index=msad source=powershell", i'd never indexed data with the field source=powershell in the msad index (only index=msad source=ActiveDirectory).

How could i check where the problem come from ? The script doesn't work ? Isn't executed ? something else ?
The GPO making run the PS script on my DCs is enabled.

I use 1 splunk server with 2 Win 2012 DCs.

Some help would be fine 🙂

Thanks !

Splunk Employee
Splunk Employee

A couple of things to check first to make sure Powershell scripts can run –
1. Set the PS execution policy on the UF - Set-ExecutionPolicy remotesigned
2. Make sure that the Powershell script itself is not blocked – Open the script in Windows explorer=>Properties; Go to the security tab and unblock.

0 Karma