All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Add-on for Microsoft Windows Active Directory: Why does my search "sourcetype="ActiveDirectory*" | head 5" not return any events?

wilhelmF
Path Finder
‎04-28-2017 04:27 AM

Hi,

we are having trouble receiving events from sourcetype="ActiveDirectory*". We did everything what was explained in the documentation:
- amend GPO Group Policies
- amend PowerShell Settings for local and remote singed script execution
- install Splunk Add-on for Microsoft Powershell
- install Splunk Add-on for Microsoft Windows Active Directory

we are receiving most data from active directory but sourcetype="ActiveDirectory*" is missing. Splunk Add-on for Microsoft Powershell seems to work properly. Group Policies are set right. The other checks on msad index went well. We can see events arriving in msad. (Please have a look at below screenshot from the guided setup in the Splunk App for Windows Infrastructure.) Any ideas?

alt text

Preview file
1 KB
0 Karma
Reply

wilhelmF
Path Finder
‎05-02-2017 02:21 AM

Thank you for your answer:

  1. I added the necessarcy Indexes to my role. Also I should be allowed to read all Indexes. I tried adding index=* before my search. Still no success.
  2. I don't use custom Indexes.
  3. I see some Events for sourcetype="WinEventLog:Directory-Service" but to few. My question here is: If the sourcetype for Active Directory should be sourcetype="WinEventLog:Directory-Service" why then the Windows Infrastructure App is searching for sourcetype="ActiveDirectory*"

Thanks

0 Karma
Reply

3no
Communicator
‎04-28-2017 05:42 AM

Can you check this points ?

1 - Are you sending your logs to the main index ? Check your role maybe you don't have access by default to this index.
You can also try adding index=* or index=[your_index_name] before you search.

2- If you are using a custom index make sure it's well defined on you indexers and that you can access it.

3 - Also I'm pretty sure that by default the sourcetype for Active Directory should be something like sourcetype="WinEventLog:Directory Service"

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...