Solved: Re: "sourcetype="MSAD*" | head 5" did not return a...

tannerd · ‎06-22-2015

I'm trying to get through the guided set up for the Windows Infrastructure App but when running through the data checks for Active Directory, i get Search "sourcetype="MSAD*" | head 5" did not return any events in the last 24 hours. I have active directory data being pulled, and my msad index has data in it..

What am I missing?? I have NO sourcetypes of "MSAD", but have tons of "Active Directory" source types.

Nothing in the forums has seemed to answer my question. I appreciate any assistance. Thank you

paulgreenspan · ‎06-30-2015

You should check the splunkd.log on your AD machine to see if there are ERRORs.

Make sure that you have deployed the PowerShell (SA-ModularInput-PowerShell) and the other
prereqs that are listed in here.

Here are the etc/apps that I have deployed on my forwarder:

drwx------+ 1 SYSTEM SYSTEM 0 Jun 30 09:36 introspection_generator_addon
drwx------+ 1 SYSTEM SYSTEM 0 Jun 30 09:36 search
drwx------+ 1 SYSTEM SYSTEM 0 Jun 30 09:37 SplunkUniversalForwarder
drwx------+ 1 SYSTEM SYSTEM 0 Jun 30 09:37 learned
drwx------+ 1 Administrator None 0 Jun 30 09:50 TA-DomainController-2012R2
drwx------+ 1 Administrator None 0 Jun 30 09:50 SA-ldapsearch
drwx------+ 1 Administrator None 0 Jun 30 09:50 splunk_app_windows_infrastructure
drwx------+ 1 Administrator None 0 Jun 30 09:50 SA-ModularInput-PowerShell
drwx------+ 1 Administrator None 0 Jun 30 10:12 Splunk_TA_windows

Also, make sure that the inputs.conf files do not have "disabled = 1" for the collections that you care about.

View solution in original post

butterslol · ‎08-10-2015

Hi,

You should make sure that your user actually is set to search these indexes by default. I found that once I went to Settings->Access Controls->Roles-> (pick a role your account has) ->Indexes searched by default, and selected 'msad', 'perfmon', 'windows' and 'wineventlog' in addition to what was already there.

Then when the setup wizard was running the search it found all the sourcetypes.

nwieseler · ‎07-19-2018

This was exactly my issue. Thank you for the idea all these years later.

Search "sourcetype="Perfmon*" | head 5" did not return any events in the last 24 hours
Search "sourcetype="WinHostMon*" | head 5" did not return any events in the last 24 hours
Search "sourcetype="MSAD*" | head 5" did not return any events in the last 24 hours
Search "sourcetype="ActiveDirectory*" | head 5" did not return any events in the last 24 hours

and so on...

paulgreenspan · ‎06-30-2015

You should check the splunkd.log on your AD machine to see if there are ERRORs.

Make sure that you have deployed the PowerShell (SA-ModularInput-PowerShell) and the other
prereqs that are listed in here.

Here are the etc/apps that I have deployed on my forwarder:

drwx------+ 1 SYSTEM SYSTEM 0 Jun 30 09:36 introspection_generator_addon
drwx------+ 1 SYSTEM SYSTEM 0 Jun 30 09:36 search
drwx------+ 1 SYSTEM SYSTEM 0 Jun 30 09:37 SplunkUniversalForwarder
drwx------+ 1 SYSTEM SYSTEM 0 Jun 30 09:37 learned
drwx------+ 1 Administrator None 0 Jun 30 09:50 TA-DomainController-2012R2
drwx------+ 1 Administrator None 0 Jun 30 09:50 SA-ldapsearch
drwx------+ 1 Administrator None 0 Jun 30 09:50 splunk_app_windows_infrastructure
drwx------+ 1 Administrator None 0 Jun 30 09:50 SA-ModularInput-PowerShell
drwx------+ 1 Administrator None 0 Jun 30 10:12 Splunk_TA_windows

Also, make sure that the inputs.conf files do not have "disabled = 1" for the collections that you care about.

demodav · ‎07-06-2016

Is active directory only for universal forwarders, could it be used for intermediate forwarders?

"sourcetype="MSAD*" | head 5" did not return any events in the last 24 hours

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!