All Apps and Add-ons

Why does the Splunk App for Windows Infrastructure not show any User, Computer, or Group data?

Explorer

We are running the following versions of Splunk and supporting apps for Windows infrastructure:

Splunk Enterprise 6.3.2
Splunk App for Windows Infrastructure 1.2.0
Splunk Supporting Add-on for Active Directory 2.1.2
Windows Add-on 4.8.1
German OS

The Splunk App for Windows Infrastructure does not Show me any User, Computer, or Group entry.
Also the Guided Setup says "users not found", and "Groups not found", but "Computers found"
Also no OU is displayed in the Org Units: All Dashboard

On the DC the following apps are installed:
SA-ModularInput-PowerShell
sendtoindexer
SplunkTAwindows
TA-DNSServer-NT6
TA-DomainController-2012R2

Because I am totally new to Splunk, please can someone help me to figure out why I can't get data?

1 Solution

Explorer

severals issues:
SA-Ldapsearch was configured but not in the way App for Windows Infrastructure needs it to work correctly.
The "default" stanza must be filled out and a second stanza with the FQDN must exists. The Alternative name in both stanzas must be the same. The Wizard detects duplicates, so one Alternative Name should be written in UPPERCASES and one in lowercases.
Last but not least if you running splunk Server on german OS, you don't see data in some Dashboards. So I have to Switch to English OS for the splunk Server. After this ALL Dashboards Shows up Information. To make it clear Data was sent to the Indexes but the Dashboards could not display those.
Also the Eventlogs from non english Servers should be sent as XML.
http://blogs.splunk.com/2014/11/04/splunk-6-2-feature-overview-xml-event-logs/

View solution in original post

Explorer

severals issues:
SA-Ldapsearch was configured but not in the way App for Windows Infrastructure needs it to work correctly.
The "default" stanza must be filled out and a second stanza with the FQDN must exists. The Alternative name in both stanzas must be the same. The Wizard detects duplicates, so one Alternative Name should be written in UPPERCASES and one in lowercases.
Last but not least if you running splunk Server on german OS, you don't see data in some Dashboards. So I have to Switch to English OS for the splunk Server. After this ALL Dashboards Shows up Information. To make it clear Data was sent to the Indexes but the Dashboards could not display those.
Also the Eventlogs from non english Servers should be sent as XML.
http://blogs.splunk.com/2014/11/04/splunk-6-2-feature-overview-xml-event-logs/

View solution in original post

Contributor

please transform your comment to an answer and accept it as answer! This is really helpful!

0 Karma

Splunk Employee
Splunk Employee

usually:
- index permission, you can check in your role if you can search the specific windows indexes by default, or make sure you inherit for a role that can.
- and also some dashboards have a dependency with the ldap search addon (SA-Ldapsearch), to talk to your AD server.

Splunk Employee
Splunk Employee

Within the search app, do you see any data at all related to these sourcetypes? That is, if you go to apps -> search and reporting -> search for "*", do you see any results? If not, if you change your search to index=*, do you see any data?

Explorer

index=msad" Shows a lot of data
source=ActiveDirectory also exists with thousands of data.

I can use the Splunk App for Windows Infrastructure and browse all data e.g DNS, Domain Status, Health Status, only those for User, Groups, OU and Computers have no data if I open the Dashboards.

0 Karma

Splunk Employee
Splunk Employee

I see. Those dashboards require SA-Ldapsearch to populate. Can you confirm if you have that installed and configured? https://splunkbase.splunk.com/app/1151/