Hi everyone.
I am trying to configure the Splunk App for Windows Infrastructure. My topology includes 2 Windows Domain Controllers, one Windows Exchange Server, one win File Server, and 2 cisco devices. Windows machines are running a universal forwarder each, an indexer runs splunk enterprise 6.2.1 on ubuntu 14 and there is no Search Head. The indexer is responsible for both indexing and searching.
About the app, the following is set up:
Splunk v6.2.1
Splunk Add-on for Microsoft Windows v4.7.3
Splunk Supporting Add-on for Microsoft Windows Active Directory v2.0.1
The user with winfra-admin user role and everything is marked with a green "tick". Besides that, continuing the wizard I get the following error:
Search "sourcetype="MSAD*" | head 5" did not return any events in the last 24 hours
I read that Splunk Supporting Add-on for Microsoft Windows Active Directory should be installed on the search head (which is not present in my topology because I found there is no need to have one). Does anyone know what might be the problem?
Thank you!
... View more