Why am I not getting any data after configuring Sp...

thecloudmode · ‎08-05-2015

Hi All,

I have recently deployed Splunk light for a trial.
It is on a Windows server, which is a domain member (single domain, single forest).

I have enabled the 'Splunk add-on for Windows' (and restarted).
I am using Splunk Web for all config etc.
I have then 'added data' with the 'Monitor -> Active Directory monitoring' option.
I created a dedicated, new index for this.

When I have finished the input seems to complete (I step through the GUI and get a green tick at the end) - however on the home page 'what to search' I see no hosts, sources or source types. It still says 'no data added, please add data'.

Within settings I can see the data input I just created, and I can see data flowing into the index.

Pretty sure I have missed something basic - any clues?

Thanks in Advance..
D

thecloudmode · ‎08-14-2015

Just an update ..

Thanks all for your help.
I ended up reinstalling (I had not put much effort into the install and therefore I did not loose much time).
Not sure what I had done wrong - will see if I end up in the same place this time.

Normally I would try to troubleshoot and resolve, for learning (shared learning in this case) - however I did not have the time..

I'm sure I'll be back though!

ChrisG · ‎08-05-2015

Start by trying the confirmation and troubleshooting searches in the documentation. Share those results here and the community can use that additional information to try to help you.

thecloudmode · ‎08-06-2015

HI ChrisG - thanks..

Total (splunk) newbie here - can you point me in the direction of a doco that how to use the commands listed in the link you provided?

I have only made any configuration via the web console so far... (tho I'm not afraid of CLIs...)

ChrisG · ‎08-06-2015

Hi, thecloudmode. Those are not CLI commands, they are searches. You enter them in the search bar:

If you are not yet oriented to the Splunk Light UI, then take a look at the in-product tour: Menu icon > Help > Product Tour.

Here is the Splunk Light documentation topic that talks about searches and results:

http://docs.splunk.com/Documentation/SplunkLight/6.2.4/GettingStarted/Viewingsearchresults

You should also take a look at the Search Tutorial, which is geared to Splunk Enterprise but the tasks, workflow, and experience will be very similar for Light.

thecloudmode · ‎08-06-2015

Told you I was a total newbie!! (hand meet face)..

Thanks for the further info - appreciated. I will go through both the viewing search results link, and the search tutorial today.

I have just followed the initial link, and I get no results - I am wondering if 'check you have installed the add-on into the indexers in your deployment.' is my issue. This is a test deployment, so I am going to reinstall, and use the default index this time, and go from there....

woodcock · ‎08-06-2015

Did you do all of this on the same server? I am assuming you have an all-in-one server on the windows server in question but maybe you have a separate Search Head. In such a case, you need to do this work on the Forwarder, not the Search Head.

thecloudmode · ‎08-06-2015

I did do all of this on the same server - an all-in-one config.. 🙂

Why am I not getting any data after configuring Splunk Light on Windows for Active Directory monitoring?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life