Hi All!
My issue is I am not able to get the data in Splunk App for Active Directory (Topology, controllers etc). Below are the details which I have done so for.
Installed Enterprise Splunk full 6.3.2 (i.e 60 days) on Redhat Linux.
Configured receiving port 9997
Installed Splunk Universal Forwarder on Windows 2008 R2 DC
Configured as per the on both receiving and forward side http://docs.splunk.com/Documentation/ActiveDirectory/1.2.2/DeployAD/AbouttheSplunkAppforActiveDirectory
Nothing changed on UF, only changed index name from default index and same as been changed in receiving end indexes.conf file as well
SA_ldapsearch; ldap.conf configured and tested connection and successful
[default]
alternatedomain = splunk.local
basedn = dc=splunk,dc=local
binddn = CN=Administrator,CN=Users,DC=splunk,DC=local
port = 3268
server = xx.xx.xx.xx
ssl = 0
When I search AD data like index=myadindex | stats count by myadindex am able to see the logs which are coming from the AD
But when I check Splunk AD App topology view or domain stats, there were no result found in the app page.
I did check
domain-list |dedup host|outputlookup DomainList.csv
and
domain-selector-search |outputlookup DomainSelector.csv
but there were no results returned.
FYI... Couple of things to know why on SplunkUF splunkd.log as below,
01-14-2016 04:56:52.189 -0500 INFO TailReader - Registering metrics callback for: batchreader0
01-14-2016 04:56:52.189 -0500 INFO TailReader - Starting batchreader0 thread
01-14-2016 04:56:52.938 -0500 INFO TcpOutputProc - Connected to idx=192.168.18.206:9997
01-14-2016 04:57:05.028 -0500 INFO TailReader - Could not send data to output queue (parsingQueue), retrying...
01-14-2016 06:01:38.000 -0500 WARN ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"" ConfMetrics - single_action=BASE_INITIALIZE took wallclock_ms=1327
01-14-2016 06:02:19.652 -0500 WARN ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"" ConfMetrics - single_action=BASE_INITIALIZE took wallclock_ms=1670
01-14-2016 06:02:56.795 -0500 INFO TailReader - ...continuing.
01-14-2016 06:03:06.826 -0500 INFO TailReader - Could not send data to output queue (parsingQueue), retrying...
01-14-2016 06:03:16.857 -0500 INFO TailReader - ...continuing.
01-14-2016 06:03:27.106 -0500 INFO TailReader - Could not send data to output queue (parsingQueue), retrying...
01-14-2016 06:03:37.137 -0500 INFO TailReader - ...continuing.
01-14-2016 06:04:01.426 -0500 INFO WatchedFile - File too small to check seekcrc, probably truncated. Will re-read entire file='C:\Program Files\SplunkUniversalForwarder\var\log\splunk\btool.log'.
01-14-2016 06:04:01.426 -0500 INFO WatchedFile - File too small to check seekcrc, probably truncated. Will re-read entire file='C:\Program Files\SplunkUniversalForwarder\var\log\splunk\mongod.log'.
01-14-2016 06:04:01.426 -0500 INFO WatchedFile - File too small to check seekcrc, probably truncated. Will re-read entire file='C:\Program Files\SplunkUniversalForwarder\var\log\splunk\scheduler.log'.
01-14-2016 06:06:36.491 -0500 WARN ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"" ConfMetrics - single_action=BASE_INITIALIZE took wallclock_ms=1685
01-14-2016 06:06:47.301 -0500 INFO TailReader - Could not send data to output queue (parsingQueue), retrying...
01-14-2016 06:07:02.340 -0500 INFO TailReader - ...continuing.
01-14-2016 06:08:38.124 -0500 WARN ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"" ConfMetrics - single_action=BASE_INITIALIZE took wallclock_ms=2606
01-14-2016 06:12:56.835 -0500 INFO TailReader - Could not send data to output queue (parsingQueue), retrying...
01-14-2016 06:13:01.842 -0500 INFO TailReader - ...continuing.
01-14-2016 06:13:59.017 -0500 INFO TailReader - Could not send data to output queue (parsingQueue), retrying...
01-14-2016 06:14:39.077 -0500 INFO TailReader - ...continuing.
Please help with fixing issue.
Thanks in advance!
... View more