I'm trying to get through the guided set up for the Windows Infrastructure App but when running through the data checks for Active Directory, i get Search "sourcetype="MSAD*" | head 5" did not return any events in the last 24 hours. I have active directory data being pulled, and my msad index has data in it..
What am I missing?? I have NO sourcetypes of "MSAD", but have tons of "Active Directory" source types.
Nothing in the forums has seemed to answer my question. I appreciate any assistance. Thank you
You should check the splunkd.log on your AD machine to see if there are ERRORs.
Make sure that you have deployed the PowerShell (SA-ModularInput-PowerShell) and the other
prereqs that are listed in here.
Here are the etc/apps that I have deployed on my forwarder:
drwx------+ 1 SYSTEM SYSTEM 0 Jun 30 09:36 introspection_generator_addon
drwx------+ 1 SYSTEM SYSTEM 0 Jun 30 09:36 search
drwx------+ 1 SYSTEM SYSTEM 0 Jun 30 09:37 SplunkUniversalForwarder
drwx------+ 1 SYSTEM SYSTEM 0 Jun 30 09:37 learned
drwx------+ 1 Administrator None 0 Jun 30 09:50 TA-DomainController-2012R2
drwx------+ 1 Administrator None 0 Jun 30 09:50 SA-ldapsearch
drwx------+ 1 Administrator None 0 Jun 30 09:50 splunk_app_windows_infrastructure
drwx------+ 1 Administrator None 0 Jun 30 09:50 SA-ModularInput-PowerShell
drwx------+ 1 Administrator None 0 Jun 30 10:12 Splunk_TA_windows
Also, make sure that the inputs.conf files do not have "disabled = 1" for the collections that you care about.
Hi,
You should make sure that your user actually is set to search these indexes by default. I found that once I went to Settings->Access Controls->Roles-> (pick a role your account has) ->Indexes searched by default, and selected 'msad', 'perfmon', 'windows' and 'wineventlog' in addition to what was already there.
Then when the setup wizard was running the search it found all the sourcetypes.
This was exactly my issue. Thank you for the idea all these years later.
Search "sourcetype="Perfmon*" | head 5" did not return any events in the last 24 hours
Search "sourcetype="WinHostMon*" | head 5" did not return any events in the last 24 hours
Search "sourcetype="MSAD*" | head 5" did not return any events in the last 24 hours
Search "sourcetype="ActiveDirectory*" | head 5" did not return any events in the last 24 hours
and so on...
You should check the splunkd.log on your AD machine to see if there are ERRORs.
Make sure that you have deployed the PowerShell (SA-ModularInput-PowerShell) and the other
prereqs that are listed in here.
Here are the etc/apps that I have deployed on my forwarder:
drwx------+ 1 SYSTEM SYSTEM 0 Jun 30 09:36 introspection_generator_addon
drwx------+ 1 SYSTEM SYSTEM 0 Jun 30 09:36 search
drwx------+ 1 SYSTEM SYSTEM 0 Jun 30 09:37 SplunkUniversalForwarder
drwx------+ 1 SYSTEM SYSTEM 0 Jun 30 09:37 learned
drwx------+ 1 Administrator None 0 Jun 30 09:50 TA-DomainController-2012R2
drwx------+ 1 Administrator None 0 Jun 30 09:50 SA-ldapsearch
drwx------+ 1 Administrator None 0 Jun 30 09:50 splunk_app_windows_infrastructure
drwx------+ 1 Administrator None 0 Jun 30 09:50 SA-ModularInput-PowerShell
drwx------+ 1 Administrator None 0 Jun 30 10:12 Splunk_TA_windows
Also, make sure that the inputs.conf files do not have "disabled = 1" for the collections that you care about.
Is active directory only for universal forwarders, could it be used for intermediate forwarders?