I followed the setup and I am very disappointed with the results. I assume that it is indexing events as designed, because there are events in the msad index. The UI is slow. Pages do not populate on first load and have to be refreshed. Many dashboards - especially for AD - return no data. The splunkd.log is filling with these 4 lines every second:
12-08-2015 09:05:53.293 -0400 WARN SearchResults - R:\app\Splunk\etc\apps\splunk_app_windows_infrastructure\lookups\windows_processes_process.csv is empty, multi-line header is missing matching quotation, or could not parse CSV header
12-08-2015 09:05:53.293 -0400 WARN SearchResults - R:\app\Splunk\etc\apps\splunk_app_windows_infrastructure\lookups\windows_processes_system.csv is empty, multi-line header is missing matching quotation, or could not parse CSV header
12-08-2015 09:05:53.293 -0400 WARN SearchResults - R:\app\Splunk\etc\apps\splunk_app_windows_infrastructure\lookups\windows_services_service.csv is empty, multi-line header is missing matching quotation, or could not parse CSV header
12-08-2015 09:05:53.293 -0400 WARN SearchResults - R:\app\Splunk\etc\apps\splunk_app_windows_infrastructure\lookups\windows_services_system.csv is empty, multi-line header is missing matching quotation, or could not parse CSV header
... View more