Sample searches and dashboards
This topic lists searches that you can perform to confirm that Windows data has arrived at the indexer.
If you're using TA-Windows version 6.0.0 or later, you don't need TA_AD and TA_DNS. TA_AD and TA_DNS are merged with TA-Windows version 6.0.0.
Search Active Directory data
To confirm that Active Directory data is present on the indexer, use the Search app:
- Log into Splunk Enterprise on the indexer, if you have not already.
- Load the Search app. In the system bar, select Apps > Search & Reporting. Splunk loads the Search app.
- Try the following searches to confirm that data is present:
This search confirms that the Splunk Add-on for Microsoft Active Directory is sending data to the indexer:
index=msad earliest=1h
This search confirms that the Splunk Add-on for Microsoft Active Directory has been installed properly on the deployment client named <host_name>:
index=msad host=<host_name> earliest=1h
Can't find the data?
Try the following:
- Use Forwarder Management to confirm that the Splunk Add-on for Microsoft Active Directory has been deployed to your deployment clients.
- Refer to the Troubleshooting manual for additional help.
Confirm and troubleshoot AD data collection | Configure Windows Domain Name Server |
This documentation applies to the following versions of Splunk® App for Windows Infrastructure (Legacy): 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4
Feedback submitted, thanks!