Hi, I'm doing an on-premise Splunk Enterprise proof of concept deployment - its mostly successful but I'm encountering one issue with the Windows Infrastructure add-on and am not sure what I'm missing. I'm hoping y'all can help point me in the right direction. Thanks in advance. My current setup: Instances: SearchHead HeavyForwarder Indexer Manager (Licensing/Apps/ForwardManager) I've made the following changes: Installed Splunk Add-on for Windows v8.0.0 (configured) Installed Splunk Supporting Add-on for Active Directory v3.0.1 (configured) Installed Splunk App for Windows Infrastructure v.2.0.1 (incomplete) Configured Active Directory auditing I've enabled most stanzas in the inputs.conf, but left DNS, Perfmon, PrintMon, WindowsUpdates disabled as they're outside the scope of what we want. I've created MSAD, perfmon, windows, windowseventlog indexes - I can see the events populating in those indexes and not Main. The SearchHead is configured and able to search logs on the indexer. On the SearchHead, when I search for: "index=msad sourcetype=activedirectory", I get a thousand results+ for index=msad, source=ActiveDirectory, sourcetype=ActiveDirectory. So everything looks kosher. I can see AD user events like account locks etc, sa well. When I run the guided setup for Splunk App for Windows Infrastructure on the SearchHead, I get successful results for the Prerequisite checks and Data Checks (except for the expected warnings on PerfMon and PrintMon, but those inputs.conf stanzas are disabled on forwarders). However when I run Customize Features - several features are not found though that I do expect: Windows \ Performance Monitoring (Expected - I've disabled the stanza) Windows \ Applications and Updates (Unsure - I've disabled the WindowsUpdate stanzas) Windows \ Print Monitoring (Expected - I've disabled the stanza) Active Directory \ Domain Controllers (unsure) Active Directory \ DNS (Expected - I've disabled the stanza) Active Directory \ Users (unsure) Active Directory \ Computers (unsure) Active Directory \ Groups (unsure) I can't locate a precise explanation in documentation (though I'm sure the issue is something simple) of why part of the Domain Controllers, Users, Computers and Group features in Active Directory are not found in the Windows Infrastructure guided setup. And am unsure what I may have missed during initial configuration setup. Any advice, direction or help would be most welcome. Regards, Jon
... View more