Deployment Architecture

AD overview, Windows Overview - no data

eholz1
Contributor

Hello all,
I am using splunk Enterprise 7.3.1, with the windows apps and the AD add-on for windows AD.
I get no data in the Windows Overview or the AD overview. There is no current data in the wineventlog and no data in the winevents log. I have used the inputs.conf file as mentioned in the splunk documentation here:
docs.splunk.com/Documentation/MSApp/1.5.2/MSInfra/DownloadandconfiguretheSplunkAdd-onforWindowsversion6.0.0orlater

I have inputs.conf files in etc\system\local and app\splunk_TA_windows\local
and wmi.conf file in etc\system\local

What am I missing in the configuration?

Thanks
eholz1

Tags (1)
0 Karma

skalliger
SplunkTrust
SplunkTrust

Did you deploy the Windows TA to a Universal Forwarder? Is the UF running as a domain account or LOCAL SYSTEM?
Does the UF send any data at all? Look for the host in index=_internal.

Skalli

0 Karma

eholz1
Contributor

Hello skalliger,

Thanks for the reply. I ended up re-installing the app. And many of the issues are gone now.
I have not yet re-installed the Windows Infrastructure or the Windows app for AD as yet.
We are not using the UF on any of the Windows boxes.

We are using WMI to query the logs. The version of splunk is 7.3.1 and it runs as a domain user (for WMI access), and the user is also in the local users on the splunk server/indexer.

I think that I have discovered the problem as far as the event logs, etc. Currently the machines that are being monitored via WMI are storing their logs in the "default" index. If I decide to re-install the apps - the indexes will have to be changed as appropriate: like "winevents" or "windowslogs" etc.

Thanks Again,
Eholz1

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...