Hi,

Apologies, I'm new to Splunk. You said to check my index is already created on your Indexer/s. Not sure how to do this can you point me to a document that explains it?

All I have done on the splunk indexer is enable a receiver port of 9997, configure Active Directory monitoring and added my domain controllers to it.
I don't think I have configured what's required on line 3. above (index = your_index_name)

You haven't specified anything in inputs.conf for Splunk to look for. Splunk uses API calls tp monitor these logs, which are in binary format. Adding this stanza in inputs.conf on the UF will help. Please make sure that the Index is already created on your Indexer/s. Also, after pasting this on your inputs.conf, please make sure to restart splunkd on the DC.

[WinEventLog://Security]
disabled = 0 
index = your_index_name

I'll also suggest you to use a server as a deployment server for the UFs. That way, you can compartmentalize your UFs according to the types of servers on which they are deployed, example: Domain controllers, any app's database, DHCP servers etc. Also, you can change their inputs.conf anytime from the deployment server, rather than going to the servers to make the changes all the time. Will become increasingly difficult, as your environment grows.

I aslo have the add on for AD installed on the DCs hosting the UF

Hi,

Yes. The intent is to bring security events from the domain controllers into splunk. I didn't use a remote deployment, just installed the UF locally on the domain controllers. Configured the output file using as single indexer server setup with the target server IP address on default port 9997. Didn't do anything on the input.conf (see configurations below). There are no firewall restrictions. Netstat shows that the dc is connected to the indexer on 9997

OUPUT.conf on domain controllers with UF

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = x.x.x.x:9997

[tcpout-server://x.x.x.x:9997]
!
!

input.conf on domain controllers with UF

[default]
host = DomainController's host name
!
!

If you're trying to do the LDAP query to get the data, then I'd suggest to go for this

https://splunkbase.splunk.com/app/3207/

If you are trying to bring the security/directory services or any other type of logs into Splunk from Domain controllers, then you need to make sure that:

1. Your UF is reporting to your deployment server.
2. Inputs.conf and outputs.conf are correctly configured and placed in your domain controllers.
3. There's no firewall restrictions in between (Usually isn't, but you never know)

If you can share your inputs and outputs, masking the important details, we can help further.