Splunk Enterprise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Sourcetype issue -Splunk addon for Microsoft Windows Active Directory

franciscof
Explorer
‎10-29-2020 12:57 PM

Hi guys, i've been trying to configure the Splunk app for windows infrastructure and for that I've previously installed the addon you see on the subject. But when I'm running the data check I see that the ActiveDirectory* sourcetype that I need to see , is not returning any events. See below:

 

franciscof_0-1604001338224.png

What could this be?

Thanks in advance!

 

Labels (1)
Labels
0 Karma
Reply

Ibbers
Explorer
‎12-02-2020 10:00 PM

I had the same problem last week (still on my first deployment project of Splunk), and once I went through the inputs it all flowed.

I had better results too when I specified the indexes for each sourcetype - had been getting some results into main for some instead of msad until then.

0 Karma
Reply

Ibbers
Explorer
‎12-02-2020 09:58 PM

check your inputs.conf In Splunk Add-On for Windows - likely you haven't enabled the desired types so the forwarders aren't sending it. Remember it'll probably need to be deployed to your universal forwarders.

0 Karma
Reply
Get Updates on the Splunk Community!

Fueling your curiosity with new Splunk ILT and eLearning courses

At Splunk Education, we’re driven by curiosity—both ours and yours! That’s why we’re committed to delivering ...

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Splunk AI Assistant for SPL has transformed how users interact with Splunk, making it easier than ever to ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureOn Demand Now Step boldly into the AI revolution with enhanced security ...
Top