Sample searches and dashboards
This topic lists searches that you can perform to confirm that Active Directory data has arrived at the indexer.
Note: If you are using TA-Windows version 6.0.0 version or later then you do not need TA_AD and TA_DNS, as they are merged with TA-Windows. To configure TA-Windows v6.0.0, Please refer to Deploy and configure the Splunk Add-on for Windows v6.0.0 or later.
Search Active Directory data
To confirm that Active Directory data is present on the indexer, use the Search app:
- Log into Splunk Enterprise on the indexer, if you have not already.
- Load the Search app. In the system bar, select Apps > Search & Reporting. Splunk loads the Search app.
- Try the following searches to confirm that data is present:
This search confirms that the Splunk Add-on for Microsoft Active Directory is sending data to the indexer:
This search confirms that the Splunk Add-on for Microsoft Active Directory has been installed properly on the deployment client named <host_name>:
Can't find the data?
Try the following:
- Use Forwarder Management to confirm that the Splunk Add-on for Microsoft Active Directory has been deployed to your deployment clients.
- Refer to the Troubleshooting manual for additional help.
Confirm and troubleshoot AD data collection
Configure Windows Domain Name Server
This documentation applies to the following versions of Splunk® App for Microsoft Exchange: 4.0.0, 4.0.1, 4.0.2, 4.0.3