All Apps and Add-ons

Windows TA- Why are we not seeing any data in Splunk?

edwardrose
Contributor

Hello All,

 

I am trying to ingest some Azure data from our DCs.  I have the following two stanzas added to our Splunk_TA_windows inputs.conf and we still do not see any data and do not see any errors from any of the hosts that have the Azure data.

 

[WinEventlog://Microsoft-AzureADPasswordProtection-DCAgent/Admin]
index = wineventlog
disabled = 0
renderXml=true

[WinEventlog://Microsoft-AzureADPasswordProtection-DCAgent/Operational]
index = wineventlog
disabled = 0
renderXml=true

 

 

Not sure why we are not seeing any data in Splunk.  The AD admin says he sees logs on the host but not in Splunk.  So to me it seems that Splunk is not ingesting the data and I am lost as to why.

 

Thanks

Labels (2)
Tags (3)
0 Karma

asha_muniraju
Loves-to-Learn Lots

Hi,

did anyone fix this issue?

Thanks

0 Karma

Roy_9
Motivator

Have you checked the firewall rules and a connectivity test?

Did you find anything in your internal logs?

0 Karma

jbanAtSplunk
Communicator

Hey, did you find out solution?
I have same issue here?

0 Karma
Get Updates on the Splunk Community!

Fueling your curiosity with new Splunk ILT and eLearning courses

At Splunk Education, we’re driven by curiosity—both ours and yours! That’s why we’re committed to delivering ...

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Splunk AI Assistant for SPL has transformed how users interact with Splunk, making it easier than ever to ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureOn Demand Now Step boldly into the AI revolution with enhanced security ...