I have deployed the Splunk Add-on for Microsoft Windows and the send to indexer app successfully to my forwarders.
I have a server called activedirectory which I can see has downloaded the apps, however, no data is being indexed. Actually, I can't see data from any of the servers that have the app deployed.
I can see on the splunk server that activedirectory has made a connection on 9997.
if I search for host=activedirectory there are no events
Any ideas where I should start troubleshooting?
Data Summary
Host Count Last Update
SERVER1 135 3/24/15 2:30:30.000 PM
splunk 1 3/24/15 12:45:33.000 PM
C:\Program Files\Splunk\etc\deployment-apps\Splunk_TA_windows\local
OS Logs
[WinEventLog://Application]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
index = wineventlog
renderXml=false
[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:\s+(?!groupPolicyContainer)"
index = wineventlog
renderXml=false
[WinEventLog://System]
disabled = 1
start_from = oldest
current_only = 0
checkpointInterval = 5
index = wineventlog
renderXml=false
C:\Program Files\Splunk\etc\deployment-apps\sendtoindexer\local
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = splunk:9997
[tcpout-server://splunk:9997]
... View more