Hello Spunkers,
I have Splunk app for Windows Infrastructure installed and have done the setup but when I get to the "customize features" section it can't find the AD data it is looking for. The Windows Overview dashboard is populating and it is finding some AD data, so I think the AD data is being ingested just not being parsed correctly, but I don't know how to tell.
Thanks in advance for any help.
Here is the output of the "detect features" button.
Detecting Event Monitoring ...
Windows: Event Monitoring found.
Detecting Performance Monitoring ...
Windows: Performance Monitoring found.
Detecting Applications and Updates ...
Windows: Applications and Updates found.
Detecting Network Monitoring ...
Windows: Network Monitoring not found. (This one is expected)
Detecting Print Monitoring ...
Windows: Print Monitoring not found. (This one is expected)
Detecting Host Monitoring ...
Windows: Host Monitoring found.
Detecting Domains ...
Active Directory: Domains not found.
Detecting Domain Controllers ...
Active Directory: Domain Controllers not found.
Detecting DNS ...
Active Directory: DNS found.
Detecting Users ...
Active Directory: Users not found.
Detecting Computers ...
Active Directory: Computers not found.
Detecting Groups ...
Active Directory: Groups not found.
Detecting Group Policy ...
Active Directory: Group Policy found.
Detecting Organizational Units ...
Active Directory: Organizational Units found.
Splunk version: 7.3.0
Splunk app for Windows Infrastructure version: 2.0.1
Splunk Supporting Add-on for Active Directory version: 3.0.1 (Connection status on configuration tab is successful)
Possible explanation here. Few years old though. The suggestion is that the detect features check only looks for events in the last 15min. So click enable on the 'not found' features, and save.
The Windows Infrastructure dashboards should start populating data given enough time.
How did you end up going with this? I've had a similiar thing (Perfmon and Printmon were expected for me, as I'd disabled the inputs) with my setup.
I haven't found much in the way of explanation unfortunately in doco, beyond a vague suggestion that the feature/s may not work if Active Directory hasn't generated the logs on its end.
Sidenote - did you do anything to get the Applications and Updates detected?