I have setup the free version of Splunk and installed the Splunk App for Active Directory. I am trying to pilot a POC to our IT leadership with hopes to budget for and purchase Enterprise licensing early next year. Unfortunately, I do not seem to be receiving any data from the UF installed on our Domain Controller. I have read through all of the online documentation I can find and followed it to the best of my ability, but I’m assuming I’m missing some critical step or have misconfigured something. We are a single domain, single forest, and are running at a forest/domain functional level of 2003. So far I have: • Deployed new Windows Server 2008 R2 Standard, fully patched • Installed single Splunk instance as primary deployment server, indexer, and search head • Enabled AD Auditing and script execution via GPO • Downloaded Splunk App for Active Directory and Splunk TAs for Windows • Copied Splunk TA Windows, TA-DomainController-NT6, and TA-DNSServer-NT6 to Splunk\etc\deployment-apps on Splunk server • Configured serverclass.conf on deployment server • Installed UF on Windows Server 2008 R2 Domain Controller, and configured to point to deployment server on port 8089 • Installed SA-ldapsearch, Sideview Utils, Splunk App for Active Directory, and Splunk TAs for Windows on Splunk server • Configured ldap.conf and eventtypes.conf • Restarted Splunk server and UF • Confirmed that the UF on the DC received the deployed apps I’ve searched the Splunkbase and online documentation, and can’t determine why I’m not receiving any data from the UF. Any help you can provide would be very helpful. Let me know if you need me to provide any sort of logs or config files to better troubleshoot. Thanks ... View more