Confirm and troubleshoot AD data collection
This topic discusses how to confirm and troubleshoot data collection from the Splunk Add-on for Microsoft Active Directory.
To users who are using TA-windows v6.0.0: TA-AD has merged with TA-windows. See Download and configure the Splunk Add-on for Windows version 6.0.0 or later.
If you're using TA-Windows version 6.0.0 or later, you don't need TA_AD and TA_DNS. TA_AD and TA_DNS are merged with TA-Windows version 6.0.0.
Check the indexer for data
After you configure and deploy the Splunk Add-on for Microsoft Active Directory into your domain controller deployment client, you should check the deployment server to see that data has arrived. The fastest way to do that is to load the Search and Reporting app and view the Data Summary:
- In the system bar, click Apps > Search & Reporting. Splunk Enterprise loads the Search & Reporting app.
- Click Data Summary. Splunk brings up the data summary page with the "Hosts" tab active.
- Scan through the list of host names for the name of your domain controller deployment client.
- If you do not see the deployment client host name, then there is a problem occurring between the client at the indexer. Confirm that:
- You have properly configured receiving on the indexer.
- You have properly configured the "send to indexer" app to forward data to the indexer.
- No network issue exists between the deployment client and the indexer.
- Click the host name in the list. A search window appears and displays all events associated with the deployment client host name.
- Search through the data to see that all of the events you configured in the Splunk Add-on for Microsoft Active Directory have been sent to the indexer. See Sample Active Directory searches and dashboards.
- If you do not see the events you expect, try these steps:
- Confirm that you have placed the add-on in the deployment apps directory and reloaded the deployment server.
- Confirm that the deployment client does not have errors attempting to collect the data.
- More troubleshooting steps are available in the Splunk Troubleshooting manual.
You have configured and deployed the Splunk Add-on for Microsoft Active Directory to your domain controller deployment clients. This now means that Active Directory data is present on your Splunk App for Windows Infrastructure indexer.
The next step is to get DNS data onto the indexer.
Deploy the Splunk Add-on for Microsoft Active Directory
Sample searches and dashboards
This documentation applies to the following versions of Splunk® App for Windows Infrastructure (Legacy): 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4