It looks like the events are not reaching our indexer. Did you validate that your forwarder successfully connects to your indexer? splunkd.log on the forwarder should show messages like "connected to idx=n.n.n.n" if that's successful. It may also have other error messages that may indicate why events don't reach your indexer. I would start looking there. ... View more

Yes, the app will run on Centos. You need to have the Splunk universal forwarder running on your domain controllers. You then configure and deploy the Splunk Add-on for Microsoft Windows to those forwarders. If you DC's are very busy, you will probably need to also set the following on the forwarders as well: limits.conf [thruput] maxKBps = The default value is 256 which is often not enough to keep up with the log traffic from busy DC's. Setting this to 0 is unlimited. If you have bandwidth limitations you will need to find a happy median. You may have to live with some latency in indexing the events. If you have a dev/test DC, I ALWAYS recommend you test on that one before deploying to production. ... View more