Currently I have a Splunk full install on a Centos 6.4 machine and a Win server 2008 R2 machine. They are both VMs. I am able to get the universal forwarders to send log data to each instance, as well as get the Centos install to send data to the Windows install.
I am unable to get the app for Active Directory to work. It is installed on the Windows server. I have gone by the documentation provided by Splunk and everything appears to be on par with the set up instructions. It is not reading the topology, showing dashboards, etc. It is acting as if no data is going to it.
The SA-ldapsearch log is giving three errors. One is a stack trace error. Another is a java null pointer exception thrown: null error. The last states that it could not find an entry in ldap.conf.
Any insight into this would be fantastic as I have been unable to find a fix anywhere that works for my deployment.
Thanks
It seems my problem may lie in an improperly labeled hostname. Dashboards are failing because they are looking for the hostname of my domain controller, but information coming in as AD data is being tagged with the host=
For others that may be interested, the documentation on the site is unclear about where exactly within the Universal Forwarder to place the Tech Add-ons for DNS/Domain Controllers. They go into the etc/apps directory within the Universal Forwarder directory. Not the Universal Forwarder's root directory, nor the Universal Forwarder directory located within etc/apps. This has the dashboards being populated. There are still errors involving empty lookup tables in some of the sections of the app. Will update once this is figured out.
Sounds like you've been through the docs so that is great. I would also go though this blog post from the creator of the app. Just want to makes sure that you aren't using Splunk v6, since the app is not certified to work on that release yet.
http://blogs.splunk.com/2012/10/21/splunk-app-for-active-directory-and-the-top-10-issues/
Yes it was done automatically, I had a lapse in brain function when posting that comment. I should also mention I have tried completely removing and reinstalling Splunk from the bottom up...indexers, forwarders, TAs, everything, and wound up at the same point each time: Receiving log data, but no information within the app itself.
The SA/TA's for the Splunk app for AD will sourcetype your data and put it into the appropriate index for the app. That is not something you should have to do manually.
I'm sorry, I do have indexes created, and three that are App for AD specific, disregard last comment
Thanks for the reply.
I should have included that information. Running Splunk 5.0.3, jre 7 x64 installed. Used the search commands to manually create tables. Everything else there I have done.
After creating the tables, returned to the topology report of the App for AD. It's still empty with a blue bar at the top: "No matching fields exist"
I seem to have no indexes, even though I am receiving and displaying log data appropriately, including AD logs, as it has it's own section within the Search App. It seems indexes need manual creation. Would this affect viewing the topology, etc?