Splunk® Enterprise

Getting Data In

Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Windows Active Directory

You can collect any kind of Active Directory change data with Splunk.

Do you want or need to know who's been changing passwords, adding user or machine accounts, or delegating authority to Group Policy objects? All of that information is at your fingertips with Splunk's Active Directory monitor. What's more, you can choose which part of the AD you want to scan for changes - from one node to the entire AD forest.

Note: In order to monitor any part of Active Directory, you must run Splunk as a user with read permissions to the Active Directory schema.

To get Active Directory data, introduce Splunk Enterprise to your Active Directory:

A. Go to the Add New page

You add an input from the Add New page in Splunk Web. See "How do you want to add data?" in this manual.

You can get there by two routes:

  • Splunk Home
  • Splunk Settings

Via Splunk Settings:

1. Click Settings in the upper right-hand corner of Splunk Web.

2. In the Data section of the Settings pop-up, click Data Inputs.

3. Click Active Directory monitoring.

4. Click the New button to add an input.

Via Splunk Home:

1. Click the Add Data link in Splunk Home.

2. Click Monitor to monitor Active Directory on the local Windows machine.

B. Select the input source

1. In the left pane, locate and select Active Directory monitoring.

2. In the Collection name field, type in a unique name for the input that you will remember.

3. Optionally, in the Target domain controller field, enter the host name or IP address of the domain controller you want to use to monitor AD.

4. Optionally, in the Starting node field, type in the Active Directory node you would like the input to begin monitoring from. You must specify the Lightweight Directory Access Protocol format, for example, DC=Splunk-Docs,DC=com.

You can click the Browse button to browse through a list of available Active Directory nodes to browse through a list of available AD domains.

5. Check the 'Monitor Subtree' button if you want Splunk Enterprise to monitor all sub-nodes of the node you entered in the "Starting node" field.

6. Click the green Next button.

C. Specify input settings

The Input Settings page lets you specify application context, default host value, and index. All of these parameters are optional.

1. Select the appropriate Application context for this input.

2. Set the Host name value. You have several choices for this setting. Learn more about setting the host value in "About hosts".

Note: Host only sets the host field in the resulting events. It does not direct Splunk Enterprise to look on a specific host on your network.

3. Set the Index that Splunk Enterprise should send data to. Leave the value as "default", unless you have defined multiple indexes to handle different types of events. In addition to indexes for user data, Splunk Enterprise has a number of utility indexes, which also appear in this dropdown box.

4. Click the green Review button.

D. Review your choices

After specifying all your input settings, you can review your selections. Splunk Enterprise lists all options you selected, including but not limited to the type of monitor, the source, the source type, the application context, and the index.

Review the settings. If they do not match what you want, click the white < button to go back to the previous step in the wizard. Otherwise, click the green Submit button.

Splunk Enterprise then loads the "Success" page and begins indexing the specified Active Directory node.

For more information on monitoring Active Directory, see "Monitor Active Directory" in this manual.

Last modified on 20 April, 2015
Windows performance monitoring - remote

This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15, 6.3.0

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters