Splunk Enterprise

Sourcetype issue -Splunk addon for Microsoft Windows Active Directory

franciscof
Explorer

Hi guys, i've been trying to configure the Splunk app for windows infrastructure and for that I've previously installed the addon you see on the subject. But when I'm running the data check I see that the ActiveDirectory* sourcetype that I need to see , is not returning any events. See below:

 

franciscof_0-1604001338224.png

What could this be?

Thanks in advance!

 

Labels (1)
0 Karma

Ibbers
Explorer

I had the same problem last week (still on my first deployment project of Splunk), and once I went through the inputs it all flowed.

I had better results too when I specified the indexes for each sourcetype - had been getting some results into main for some instead of msad until then.

0 Karma

Ibbers
Explorer

check your inputs.conf In Splunk Add-On for Windows - likely you haven't enabled the desired types so the forwarders aren't sending it. Remember it'll probably need to be deployed to your universal forwarders.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...