Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- why i'm not getting the users, computers,groups da...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
why i'm not getting the users, computers,groups data from windows Active Directory(AD) data into splunk
Dears,
We are running the following versions of Splunk and supporting apps for Windows infrastructure:
Splunk Enterprise: 7.2.3
Splunk App for Windows Infrastructure(splunk_app_windows_infrastructure): 1.5.1
Splunk Add-on for Microsoft Windows(Splunk_TA_windows): 4.8.4
Splunk Add-on for Microsoft Windows DNS(Splunk_TA_microsoft_dns): 1.0.1
Splunk Add-on for Microsoft Active Directory(Splunk_TA_microsoft_ad): 1.0.0
Splunk Supporting Add-on for Active Directory(SA-ldapsearch): 2.2.0
Splunk Add-on for PowerShell(SA-ModularInput-PowerShell): 1.2.1
Rhel OS: 7.3
The Splunk App for Windows Infrastructure does not Show me any User, Computer, or Group entry.
Also the Guided Setup says "users not found", "Computers not found" and "Groups not found"
All Dashboards related to them don't display any thing
On the Windows AD Domain Controller the following apps are installed:
Splunk App for Windows Infrastructure(splunk_app_windows_infrastructure): 1.5.1
Splunk Add-on for Microsoft Windows(Splunk_TA_windows): 4.8.4
Splunk Add-on for Microsoft Windows DNS(Splunk_TA_microsoft_dns): 1.0.1
Splunk Add-on for Microsoft Active Directory(Splunk_TA_microsoft_ad): 1.0.0
Splunk Add-on for PowerShell(SA-ModularInput-PowerShell): 1.2.1
sendtoindexer
TA-DomainController-NT6
TA-DNSServer-NT6
please can someone help me to figure out why I can't get data?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was having this issue and just recently resolved it.
I troubleshot this by searching for
|eventtype=msad-successful-user-logons|
which returned no results. Further investigation revealed that no eventlog:security items were being indexed.
I searched
|eventtype=msad-dc-health |
which is generated on the universal forwarder from powershell scripts enabled in inputs.conf. This returned current data normally.
I determined that the UF was configured correctly and was sending data, which was being received and stored in the correct index, and that active directory audit data was not being generated.
I resolved the issue by manually configuring a new set of audit GPs, applying it to my domain controller OU, and setting the "enforced" attribute in GPMC.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just to clarify, I needed to configure Advanced Audit Configuration in GP, including:
Audit Computer Account Management Success, Failure
Audit Distribution Group Management Success, Failure
Audit Security Group Management Success, Failure
Audit User Account Management Success, Failure
Audit Directory Service Access Success, Failure
Audit Directory Service Changes Success, Failure
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
