If you run index=* eventtype=msad-dc-health do you see the data?
It could need further configuration as per the link below:
https://www.splunk.com/en_us/blog/tips-and-tricks/splunk-app-for-active-directory-and-the-top-10-iss...
"The other data input that requires a little bit of configuration is the health scripts. Active Directory stores a lot of the health information in data structures stored in memory rather than in the directory. It requires that we access .NET libraries to retrieve the information. If you are not seeing the domain selector working, then it is likely that you are not receiving this health data. You can further check this by executing the following search:
eventtype=msad-dc-health
If you log on to a domain controller, you can run the health script manually with the following command:
CD C:\Program Files\SplunkUniversalForwarder\etc\apps\TA-DomainController-NT6\bin C:\Program Files\SplunkUniversalForwarder\bin\splunk cmd runpowershell.cmd ad-health.ps1
If Powershell is turned off, the error message will tell you that scripts are disabled on this host. You can repair this situation by turning on Powershell within the same GPO you use to alter the audit settings, or you can create a new GPO for this purpose. As with the audit settings GPO, it needs to be attached to the domain controllers on each domain. As with the audit settings, you can read about this process in our documentation."
