Troubleshoot the Splunk Add-ons for Microsoft Active Directory
Data appears in the wrong index
Both the Splunk Add-ons for Microsoft Active Directory and Windows DNS expect the following indexes to be present on your indexers:
windows(for backward compatibility)
wineventlog(for backward compatibility)
Ensure those indexes are present by installing the add-ons into all indexers in the deployment.
Sourcetype changes for WinEventLog data
The Splunk Add-on for Windows version 5.0.x introduces changes to WinEventLog data sourcetypes, and now assigns the WinEventLog sourcetype to the following WinEventLog inputs of the Splunk Add-on for Microsoft Active Directory:
|Windows AD input||Sourcetype|
|WinEventLog://File Replication Service||WinEventLog|
|WinEventLog://Key Management Service||WinEventLog|
WinEventLogs are distinguished by their source.
Configure the Splunk Add-on for Microsoft Active Directory
Lookups for the Splunk Add-on for Microsoft Active Directory
This documentation applies to the following versions of Splunk® Add-on for Microsoft Active Directory: 1.0.0, 1.0.1