Deployment Architecture

AD overview, Windows Overview - no data

eholz1
Contributor

Hello all,
I am using splunk Enterprise 7.3.1, with the windows apps and the AD add-on for windows AD.
I get no data in the Windows Overview or the AD overview. There is no current data in the wineventlog and no data in the winevents log. I have used the inputs.conf file as mentioned in the splunk documentation here:
docs.splunk.com/Documentation/MSApp/1.5.2/MSInfra/DownloadandconfiguretheSplunkAdd-onforWindowsversion6.0.0orlater

I have inputs.conf files in etc\system\local and app\splunk_TA_windows\local
and wmi.conf file in etc\system\local

What am I missing in the configuration?

Thanks
eholz1

Tags (1)
0 Karma

skalliger
SplunkTrust
SplunkTrust

Did you deploy the Windows TA to a Universal Forwarder? Is the UF running as a domain account or LOCAL SYSTEM?
Does the UF send any data at all? Look for the host in index=_internal.

Skalli

0 Karma

eholz1
Contributor

Hello skalliger,

Thanks for the reply. I ended up re-installing the app. And many of the issues are gone now.
I have not yet re-installed the Windows Infrastructure or the Windows app for AD as yet.
We are not using the UF on any of the Windows boxes.

We are using WMI to query the logs. The version of splunk is 7.3.1 and it runs as a domain user (for WMI access), and the user is also in the local users on the splunk server/indexer.

I think that I have discovered the problem as far as the event logs, etc. Currently the machines that are being monitored via WMI are storing their logs in the "default" index. If I decide to re-install the apps - the indexes will have to be changed as appropriate: like "winevents" or "windowslogs" etc.

Thanks Again,
Eholz1

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...