I have recently deployed Splunk light for a trial.
It is on a Windows server, which is a domain member (single domain, single forest).
I have enabled the 'Splunk add-on for Windows' (and restarted).
I am using Splunk Web for all config etc.
I have then 'added data' with the 'Monitor -> Active Directory monitoring' option.
I created a dedicated, new index for this.
When I have finished the input seems to complete (I step through the GUI and get a green tick at the end) - however on the home page 'what to search' I see no hosts, sources or source types. It still says 'no data added, please add data'.
Within settings I can see the data input I just created, and I can see data flowing into the index.
Pretty sure I have missed something basic - any clues?
Thanks in Advance..
Did you do all of this on the same server? I am assuming you have an all-in-one server on the windows server in question but maybe you have a separate Search Head. In such a case, you need to do this work on the Forwarder, not the Search Head.
HI ChrisG - thanks..
Total (splunk) newbie here - can you point me in the direction of a doco that how to use the commands listed in the link you provided?
I have only made any configuration via the web console so far... (tho I'm not afraid of CLIs...)
Hi, thecloudmode. Those are not CLI commands, they are searches. You enter them in the search bar:
If you are not yet oriented to the Splunk Light UI, then take a look at the in-product tour: Menu icon > Help > Product Tour.
Here is the Splunk Light documentation topic that talks about searches and results:
You should also take a look at the Search Tutorial, which is geared to Splunk Enterprise but the tasks, workflow, and experience will be very similar for Light.
Told you I was a total newbie!! (hand meet face)..
Thanks for the further info - appreciated. I will go through both the viewing search results link, and the search tutorial today.
I have just followed the initial link, and I get no results - I am wondering if 'check you have installed the add-on into the indexers in your deployment.' is my issue. This is a test deployment, so I am going to reinstall, and use the default index this time, and go from there....
Just an update ..
Thanks all for your help.
I ended up reinstalling (I had not put much effort into the install and therefore I did not loose much time).
Not sure what I had done wrong - will see if I end up in the same place this time.
Normally I would try to troubleshoot and resolve, for learning (shared learning in this case) - however I did not have the time..
I'm sure I'll be back though!