I have installed Windows infrastructure app on Splunk search head (which is a server)
The app requires multiple indexes(msad, perfmon, wineventlog) and all indexes are receiving data except for msad
Attached is my indexes.conf file
[msad]
coldPath = $SPLUNK_DB/msad/colddb
enableDataIntegrityControl = 0
enableTsidxReduction = 0
homePath = $SPLUNK_DB/msad/db
maxTotalDataSizeMB = 512000
thawedPath = $SPLUNK_DB/msad/thaweddb
[perfmon]
coldPath = $SPLUNK_DB/perfmon/colddb
enableDataIntegrityControl = 0
enableTsidxReduction = 0
homePath = $SPLUNK_DB/perfmon/db
maxTotalDataSizeMB = 512000
thawedPath = $SPLUNK_DB/perfmon/thaweddb
[wineventlog]
coldPath = $SPLUNK_DB/wineventlog/colddb
enableDataIntegrityControl = 0
enableTsidxReduction = 0
homePath = $SPLUNK_DB/wineventlog/db
maxTotalDataSizeMB = 512000
thawedPath = $SPLUNK_DB/wineventlog/thaweddb
[windows]
coldPath = $SPLUNK_DB\windows\colddb
enableDataIntegrityControl = 0
enableTsidxReduction = 0
homePath = $SPLUNK_DB\windows\db
maxTotalDataSizeMB = 512000
thawedPath = $SPLUNK_DB\windows\thaweddb
S
The Active Directory data gets indexed into the msad index.
If in that sever you are getting AD data then only msad index will show events.
------------------------------------------------------
If this help your like will be appreciated 👍
Is indexes.conf required for Splunk Addon for Windows v800/Splunk App for Windows Infrastructure v201?
Its unclear from the documentation, as Splunk_TA_Windows (v800) documentation says indexes.conf is removed?
Do I need an indexes.conf in my \local\ folder for MSAD, Windows, Perfmon, Wineventlog?
cheers 🙂
The Active Directory data gets indexed into the msad index.
If in that sever you are getting AD data then only msad index will show events.
------------------------------------------------------
If this help your like will be appreciated 👍
Thank you
Did you intend to post two questions on the same topic? Perhaps they should be combined.