Splunk Add-on for Microsoft Active Directory installed on the sh and indexer is an updated version. We get to see results on the dashboard, but we are bothered by that yellow warning icon. Is there anything we can get rid of the warning? Are we missing something? Thanks in advance
The eventtype does not exist in any of the windows apps on Splunkbase.
If you collect the windows directory services event log you can create a global eventtype that points to the index and source or sourcetype for that data.
If you do NOT collect the directory services event log, you can create something like this in any app and share it globally:
search = index=badindex sourcetype=bad
Presumably this will not return any data and will run quickly so it should not add much overhead to searches that reference it.
Once the search bundle gets deployed to the indexers the errors will go away.
We already checked on this answer. Correct me if I'm wrong. The following apps and add-ons are installed:
Search head- Splunk App for Windows Infrastructure, Splunk Add-on for Microsoft Active Directory, Splunk Supporting Add-on for Active Directory
Indexer - Splunk Add-on for Microsoft Active Directory, Windows DNS
Did I missed any add-on? Thanks in advance
You actually need to install that addon on the search head. The search head will send the knowledge objects to the indexer by itself
Hope this is helpful. All the best.
Hi @chrisyoungerjds ,
Yes I also installed it on the search head. I installed the same add-on to the indexer because the warning is telling that the eventtype is not existing or disabled in the indexer. We also used a universal forwarder for data collection that's why I installed the add-on in the indexer as per the documentation as well. But then, warning is still showing..