All Apps and Add-ons

Windows Infrastructure app - Active Directory Error

Path Finder

Hello Spunkers,
I have Splunk app for Windows Infrastructure installed and have done the setup but when I get to the "customize features" section it can't find the AD data it is looking for. The Windows Overview dashboard is populating and it is finding some AD data, so I think the AD data is being ingested just not being parsed correctly, but I don't know how to tell.
Thanks in advance for any help.

Here is the output of the "detect features" button.
Detecting Event Monitoring ...
Windows: Event Monitoring found.
Detecting Performance Monitoring ...
Windows: Performance Monitoring found.
Detecting Applications and Updates ...
Windows: Applications and Updates found.
Detecting Network Monitoring ...
Windows: Network Monitoring not found. (This one is expected)
Detecting Print Monitoring ...
Windows: Print Monitoring not found. (This one is expected)
Detecting Host Monitoring ...
Windows: Host Monitoring found.
Detecting Domains ...
Active Directory: Domains not found.
Detecting Domain Controllers ...
Active Directory: Domain Controllers not found.
Detecting DNS ...
Active Directory: DNS found.
Detecting Users ...
Active Directory: Users not found.
Detecting Computers ...
Active Directory: Computers not found.
Detecting Groups ...
Active Directory: Groups not found.
Detecting Group Policy ...
Active Directory: Group Policy found.
Detecting Organizational Units ...
Active Directory: Organizational Units found.

Splunk version: 7.3.0
Splunk app for Windows Infrastructure version: 2.0.1
Splunk Supporting Add-on for Active Directory version: 3.0.1 (Connection status on configuration tab is successful)

0 Karma


Possible explanation here. Few years old though. The suggestion is that the detect features check only looks for events in the last 15min. So click enable on the 'not found' features, and save.

The Windows Infrastructure dashboards should start populating data given enough time.

0 Karma


How did you end up going with this? I've had a similiar thing (Perfmon and Printmon were expected for me, as I'd disabled the inputs) with my setup.

I haven't found much in the way of explanation unfortunately in doco, beyond a vague suggestion that the feature/s may not work if Active Directory hasn't generated the logs on its end.

Sidenote - did you do anything to get the Applications and Updates detected?

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...