I've got everything installed and configured for the Splunk App for Windows Infrastructure. Most of the pre-built searches work fine, but the Active Directory -> Groups -> Security Group Reports -> Security Groups: New isn't returning any results even though I've made new groups recently and am running the search for the past 7 days.
Security Groups: All, Nested, etc. all seem to work fine.
Doh! UF wasn't installed on all DCs. Confirmed events are coming from DCs with the UF installed.
Doh! UF wasn't installed on all DCs. Confirmed events are coming from DCs with the UF installed.
Did you deploy this app to the Active Directory servers and turn on the msad
inputs by setting disabled=false
inside of inputs.conf
? Did you restart the splunk instances on those forwarders after deploying inputs.conf
?
Yes, everything else seems to be working. I get results from other searches... Active Directory -> Groups -> Security Group Reports -> Security Groups: Empty returns results, as does All. The 'New' search is the only one that doesn't seem to be working.