Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

AD overview, Windows Overview - no data

eholz1
Builder
‎08-15-2019 02:43 PM

Hello all,
I am using splunk Enterprise 7.3.1, with the windows apps and the AD add-on for windows AD.
I get no data in the Windows Overview or the AD overview. There is no current data in the wineventlog and no data in the winevents log. I have used the inputs.conf file as mentioned in the splunk documentation here:
docs.splunk.com/Documentation/MSApp/1.5.2/MSInfra/DownloadandconfiguretheSplunkAdd-onforWindowsversion6.0.0orlater

I have inputs.conf files in etc\system\local and app\splunk_TA_windows\local
and wmi.conf file in etc\system\local

What am I missing in the configuration?

Thanks
eholz1

Tags (1)
0 Karma
Reply

skalliger
Motivator
‎08-16-2019 02:58 AM

Did you deploy the Windows TA to a Universal Forwarder? Is the UF running as a domain account or LOCAL SYSTEM?
Does the UF send any data at all? Look for the host in index=_internal.

Skalli

0 Karma
Reply

eholz1
Builder
‎08-16-2019 08:13 AM

Hello skalliger,

Thanks for the reply. I ended up re-installing the app. And many of the issues are gone now.
I have not yet re-installed the Windows Infrastructure or the Windows app for AD as yet.
We are not using the UF on any of the Windows boxes.

We are using WMI to query the logs. The version of splunk is 7.3.1 and it runs as a domain user (for WMI access), and the user is also in the local users on the splunk server/indexer.

I think that I have discovered the problem as far as the event logs, etc. Currently the machines that are being monitored via WMI are storing their logs in the "default" index. If I decide to re-install the apps - the indexes will have to be changed as appropriate: like "winevents" or "windowslogs" etc.

Thanks Again,
Eholz1

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

In today’s data-heavy environment, organizations are caught in a data distribution dilemma. As data volumes ...

GA: New Data Management App in Splunk Platform

Streamlining Data Management: Introducing a unified experience in Splunk Managing data at scale shouldn’t feel ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...