All Apps and Add-ons

Windows Infrastructure app - Active Directory Error

eliasit
Path Finder

Hello Spunkers,
I have Splunk app for Windows Infrastructure installed and have done the setup but when I get to the "customize features" section it can't find the AD data it is looking for. The Windows Overview dashboard is populating and it is finding some AD data, so I think the AD data is being ingested just not being parsed correctly, but I don't know how to tell.
Thanks in advance for any help.

Here is the output of the "detect features" button.
Detecting Event Monitoring ...
Windows: Event Monitoring found.
Detecting Performance Monitoring ...
Windows: Performance Monitoring found.
Detecting Applications and Updates ...
Windows: Applications and Updates found.
Detecting Network Monitoring ...
Windows: Network Monitoring not found. (This one is expected)
Detecting Print Monitoring ...
Windows: Print Monitoring not found. (This one is expected)
Detecting Host Monitoring ...
Windows: Host Monitoring found.
Detecting Domains ...
Active Directory: Domains not found.
Detecting Domain Controllers ...
Active Directory: Domain Controllers not found.
Detecting DNS ...
Active Directory: DNS found.
Detecting Users ...
Active Directory: Users not found.
Detecting Computers ...
Active Directory: Computers not found.
Detecting Groups ...
Active Directory: Groups not found.
Detecting Group Policy ...
Active Directory: Group Policy found.
Detecting Organizational Units ...
Active Directory: Organizational Units found.

Splunk version: 7.3.0
Splunk app for Windows Infrastructure version: 2.0.1
Splunk Supporting Add-on for Active Directory version: 3.0.1 (Connection status on configuration tab is successful)

0 Karma

Ibbers
Explorer

Possible explanation here. Few years old though. The suggestion is that the detect features check only looks for events in the last 15min. So click enable on the 'not found' features, and save.

The Windows Infrastructure dashboards should start populating data given enough time.

0 Karma

Ibbers
Explorer

How did you end up going with this? I've had a similiar thing (Perfmon and Printmon were expected for me, as I'd disabled the inputs) with my setup.

I haven't found much in the way of explanation unfortunately in doco, beyond a vague suggestion that the feature/s may not work if Active Directory hasn't generated the logs on its end.

Sidenote - did you do anything to get the Applications and Updates detected?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...