Troubleshoot the Splunk Add-ons for Microsoft Active Directory
General troubleshooting
For helpful troubleshooting tips that you can apply to all add-ons, see "Troubleshoot add-ons". You can also access these support and resource links.
Data appears in the wrong index
Both the Splunk Add-ons for Microsoft Active Directory and Windows DNS expect the following indexes to be present on your indexers:
msadperfmonwineventswindows(for backward compatibility)wineventlog(for backward compatibility)
Ensure those indexes are present by installing the add-ons into all indexers in the deployment.
Sourcetype changes for WinEventLog data
The Splunk Add-on for Windows version 5.0.x introduces changes to WinEventLog data sourcetypes, and now assigns the WinEventLog sourcetype to the following WinEventLog inputs of the Splunk Add-on for Microsoft Active Directory:
| Windows AD input | Sourcetype |
|---|---|
| WinEventLog://DFS Replication | WinEventLog |
| WinEventLog://Directory Service | WinEventLog |
| WinEventLog://File Replication Service | WinEventLog |
| WinEventLog://Key Management Service | WinEventLog |
WinEventLogs are distinguished by their source.
| Configure the Splunk Add-on for Microsoft Active Directory | Lookups for the Splunk Add-on for Microsoft Active Directory |
This documentation applies to the following versions of Splunk® Add-on for Microsoft Active Directory (EOL): 1.0.0, 1.0.1
Download manual
Feedback submitted, thanks!