Deployment Architecture

AD overview, Windows Overview - no data

eholz1
Contributor

Hello all,
I am using splunk Enterprise 7.3.1, with the windows apps and the AD add-on for windows AD.
I get no data in the Windows Overview or the AD overview. There is no current data in the wineventlog and no data in the winevents log. I have used the inputs.conf file as mentioned in the splunk documentation here:
docs.splunk.com/Documentation/MSApp/1.5.2/MSInfra/DownloadandconfiguretheSplunkAdd-onforWindowsversion6.0.0orlater

I have inputs.conf files in etc\system\local and app\splunk_TA_windows\local
and wmi.conf file in etc\system\local

What am I missing in the configuration?

Thanks
eholz1

Tags (1)
0 Karma

skalliger
Motivator

Did you deploy the Windows TA to a Universal Forwarder? Is the UF running as a domain account or LOCAL SYSTEM?
Does the UF send any data at all? Look for the host in index=_internal.

Skalli

0 Karma

eholz1
Contributor

Hello skalliger,

Thanks for the reply. I ended up re-installing the app. And many of the issues are gone now.
I have not yet re-installed the Windows Infrastructure or the Windows app for AD as yet.
We are not using the UF on any of the Windows boxes.

We are using WMI to query the logs. The version of splunk is 7.3.1 and it runs as a domain user (for WMI access), and the user is also in the local users on the splunk server/indexer.

I think that I have discovered the problem as far as the event logs, etc. Currently the machines that are being monitored via WMI are storing their logs in the "default" index. If I decide to re-install the apps - the indexes will have to be changed as appropriate: like "winevents" or "windowslogs" etc.

Thanks Again,
Eholz1

0 Karma
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...