MS security integration with splunk

pavithra · ‎07-25-2024

Hi All,

Data is not getting indexed after adding the conf

richgalloway · ‎07-25-2024

Data will not be indexed automatically after adding the add-on. Inputs must be configured so the add-on knows where to find the data. See https://docs.splunk.com/Documentation/AddOns/released/MSSecurity/Configure

---
If this reply helps you, Karma would be appreciated.

pavithra · ‎07-25-2024

Hi ,

I have added the config details already , still data is not coming

richgalloway · ‎07-25-2024

Typical GDI troubleshooting steps include:

Verify the input configuration, including the URL and credentials.
Verify the Splunk server running the add-on can connect to the MS server. Use curl or a similar tool.
Check splunkd.log for related messages.
Check the MS logs for related messages.
If you're using Splunk search to see if data is coming in then double-check the SPL. Verify the index name. Try specifying latest=+1y to account for timestamp errors.

---
If this reply helps you, Karma would be appreciated.