Splunk® Add-on for Microsoft Active Directory

Install and use the Splunk Add-on for Microsoft Active Directory

Download manual as PDF

Download topic as PDF

Troubleshoot the Splunk Add-ons for Microsoft Active Directory

General troubleshooting

For helpful troubleshooting tips that you can apply to all add-ons, see "Troubleshoot add-ons". You can also access these support and resource links.

Data appears in the wrong index

Both the Splunk Add-ons for Microsoft Active Directory and Windows DNS expect the following indexes to be present on your indexers:

  • msad
  • perfmon
  • winevents
  • windows (for backward compatibility)
  • wineventlog (for backward compatibility)

Ensure those indexes are present by installing the add-ons into all indexers in the deployment.

Sourcetype changes for WinEventLog data

The Splunk Add-on for Windows version 5.0.x introduces changes to WinEventLog data sourcetypes, and now assigns the WinEventLog sourcetype to the following WinEventLog inputs of the Splunk Add-on for Microsoft Active Directory:

Windows AD input Sourcetype
WinEventLog://DFS Replication WinEventLog
WinEventLog://Directory Service WinEventLog
WinEventLog://File Replication Service WinEventLog
WinEventLog://Key Management Service WinEventLog

WinEventLogs are distinguished by their source.

PREVIOUS
Configure the Splunk Add-on for Microsoft Active Directory
  NEXT
Lookups for the Splunk Add-on for Microsoft Active Directory

This documentation applies to the following versions of Splunk® Add-on for Microsoft Active Directory: 1.0.0


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters