Solved: Splunk App for Windows Infrastructure: Why is the ...

msaz · ‎05-19-2017

I've got everything installed and configured for the Splunk App for Windows Infrastructure. Most of the pre-built searches work fine, but the Active Directory -> Groups -> Security Group Reports -> Security Groups: New isn't returning any results even though I've made new groups recently and am running the search for the past 7 days.

Security Groups: All, Nested, etc. all seem to work fine.

msaz · ‎06-22-2017

Doh! UF wasn't installed on all DCs. Confirmed events are coming from DCs with the UF installed.

View solution in original post

msaz · ‎06-22-2017

Doh! UF wasn't installed on all DCs. Confirmed events are coming from DCs with the UF installed.

woodcock · ‎05-19-2017

Did you deploy this app to the Active Directory servers and turn on the msad inputs by setting disabled=false inside of inputs.conf? Did you restart the splunk instances on those forwarders after deploying inputs.conf?

msaz · ‎06-08-2017

Yes, everything else seems to be working. I get results from other searches... Active Directory -> Groups -> Security Group Reports -> Security Groups: Empty returns results, as does All. The 'New' search is the only one that doesn't seem to be working.

Splunk App for Windows Infrastructure: Why is the pre-built Active Directory new group search not working?

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?