Splunk® App for Windows Infrastructure (Legacy)

Deploy and Use the Splunk App for Windows Infrastructure

On October 20, 2021, the Splunk App for Windows Infrastructure will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for Windows Dashboards and Reports.

Confirm and troubleshoot AD data collection

This topic discusses how to confirm and troubleshoot data collection from the Splunk Add-on for Microsoft Active Directory.

To users who are using TA-windows v6.0.0: TA-AD has merged with TA-windows. See Download and configure the Splunk Add-on for Windows version 6.0.0 or later.

If you're using TA-Windows version 6.0.0 or later, you don't need TA_AD and TA_DNS. TA_AD and TA_DNS are merged with TA-Windows version 6.0.0.

Check the indexer for data

After you configure and deploy the Splunk Add-on for Microsoft Active Directory into your domain controller deployment client, you should check the deployment server to see that data has arrived. The fastest way to do that is to load the Search and Reporting app and view the Data Summary:

  1. In the system bar, click Apps > Search & Reporting. Splunk Enterprise loads the Search & Reporting app.
  2. Click Data Summary. Splunk brings up the data summary page with the "Hosts" tab active.
  3. Scan through the list of host names for the name of your domain controller deployment client.
    • If you do not see the deployment client host name, then there is a problem occurring between the client at the indexer. Confirm that:
      • You have properly configured receiving on the indexer.
      • You have properly configured the "send to indexer" app to forward data to the indexer.
      • No network issue exists between the deployment client and the indexer.
  4. Click the host name in the list. A search window appears and displays all events associated with the deployment client host name.
  5. Search through the data to see that all of the events you configured in the Splunk Add-on for Microsoft Active Directory have been sent to the indexer. See Sample Active Directory searches and dashboards.
  • If you do not see the events you expect, try these steps:
    • Confirm that you have placed the add-on in the deployment apps directory and reloaded the deployment server.
    • Confirm that the deployment client does not have errors attempting to collect the data.
    • More troubleshooting steps are available in the Splunk Troubleshooting manual.

What's next?

You have configured and deployed the Splunk Add-on for Microsoft Active Directory to your domain controller deployment clients. This now means that Active Directory data is present on your Splunk App for Windows Infrastructure indexer.

The next step is to get DNS data onto the indexer.

Last modified on 17 October, 2019
Deploy the Splunk Add-on for Microsoft Active Directory   Sample searches and dashboards

This documentation applies to the following versions of Splunk® App for Windows Infrastructure (Legacy): 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters