I'm guessing somewhere along the way I skipped an important step, but I'm hoping somebody can give me some way to troubleshoot this issue without having to start over from scratch... I'm working with a very simple setup here, with a single Splunk server, and a universal forwarder (plus the relevant apps) installed on one of our two local domain controllers (2008 R2).
I've tested LDAP searches, that seems to be working. Security logging on the DC is auditing everything except "process tracking". Data is clearly flowing into Splunk, but the app claims that data for "Users", "Groups", and "Computers" is not found when I run the auto-setup.
(Weird and probably irrelevant aside: "Computers" did actually show up during one attempt, but never since. I did not make any change I can think of that would have caused this, was literally just hitting the "Detect" button over and over again thinking maybe the issue was that maybe not enough log data had been imported yet).
... View more