All Apps and Add-ons

Why does the Splunk App for Windows Infrastructure not show any User, Computer, or Group data?

ugruner
Explorer

We are running the following versions of Splunk and supporting apps for Windows infrastructure:

Splunk Enterprise 6.3.2
Splunk App for Windows Infrastructure 1.2.0
Splunk Supporting Add-on for Active Directory 2.1.2
Windows Add-on 4.8.1
German OS

The Splunk App for Windows Infrastructure does not Show me any User, Computer, or Group entry.
Also the Guided Setup says "users not found", and "Groups not found", but "Computers found"
Also no OU is displayed in the Org Units: All Dashboard

On the DC the following apps are installed:
SA-ModularInput-PowerShell
sendtoindexer
Splunk_TA_windows
TA-DNSServer-NT6
TA-DomainController-2012R2

Because I am totally new to Splunk, please can someone help me to figure out why I can't get data?

1 Solution

ugruner
Explorer

severals issues:
SA-Ldapsearch was configured but not in the way App for Windows Infrastructure needs it to work correctly.
The "default" stanza must be filled out and a second stanza with the FQDN must exists. The Alternative name in both stanzas must be the same. The Wizard detects duplicates, so one Alternative Name should be written in UPPERCASES and one in lowercases.
Last but not least if you running splunk Server on german OS, you don't see data in some Dashboards. So I have to Switch to English OS for the splunk Server. After this ALL Dashboards Shows up Information. To make it clear Data was sent to the Indexes but the Dashboards could not display those.
Also the Eventlogs from non english Servers should be sent as XML.
http://blogs.splunk.com/2014/11/04/splunk-6-2-feature-overview-xml-event-logs/

View solution in original post

ugruner
Explorer

severals issues:
SA-Ldapsearch was configured but not in the way App for Windows Infrastructure needs it to work correctly.
The "default" stanza must be filled out and a second stanza with the FQDN must exists. The Alternative name in both stanzas must be the same. The Wizard detects duplicates, so one Alternative Name should be written in UPPERCASES and one in lowercases.
Last but not least if you running splunk Server on german OS, you don't see data in some Dashboards. So I have to Switch to English OS for the splunk Server. After this ALL Dashboards Shows up Information. To make it clear Data was sent to the Indexes but the Dashboards could not display those.
Also the Eventlogs from non english Servers should be sent as XML.
http://blogs.splunk.com/2014/11/04/splunk-6-2-feature-overview-xml-event-logs/

PPape
Contributor

please transform your comment to an answer and accept it as answer! This is really helpful!

0 Karma

yannK
Splunk Employee
Splunk Employee

usually:
- index permission, you can check in your role if you can search the specific windows indexes by default, or make sure you inherit for a role that can.
- and also some dashboards have a dependency with the ldap search addon (SA-Ldapsearch), to talk to your AD server.

sobrien
Splunk Employee
Splunk Employee

Within the search app, do you see any data at all related to these sourcetypes? That is, if you go to apps -> search and reporting -> search for "*", do you see any results? If not, if you change your search to index=*, do you see any data?

ugruner
Explorer

index=msad" Shows a lot of data
source=ActiveDirectory also exists with thousands of data.

I can use the Splunk App for Windows Infrastructure and browse all data e.g DNS, Domain Status, Health Status, only those for User, Groups, OU and Computers have no data if I open the Dashboards.

0 Karma

sobrien
Splunk Employee
Splunk Employee

I see. Those dashboards require SA-Ldapsearch to populate. Can you confirm if you have that installed and configured? https://splunkbase.splunk.com/app/1151/

Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...