Hi,
Splunk 6.2, indexer is a Debian 7.7 64 VM, universal forwarder is installed on a Windows 2008 R2 64 VM. I've just finished configuring Splunk App for Windows Infrastructure following the manual to the letter (includes Windows Add-on and Splunk Supportint Add-on for Active Directory, AKA ta_ldapsearch). I prepared my AD according to the manual, installed the apps, have the forwarder starting automatically as a service in my AD box, deployed with my deployment server both Splunk_TA_Windows and the add-ons needed for Infrastructure (ta-dnsserver-nt6 and ta-domaincontroller-nt6). I can see the data coming in, I can run searches but the app dashboards do not show anything, they either say "no results found" or the drop-down boxes do not get filled and the dashboards stay "waiting for input" forever. If I try to configure the app via "Tools and Settings" -> "App Configuration" and let it detect ("Detect" button) it only sellects "Group Policy" and "Organizational Units", and shows nothing in the dashboards. If I force it (select manually all boxes) it does show some summary info but still does not show anything in the dashboards. I have only a custom inputs.conf file for Windows Add-on with all sources enabled, but nothing else. Ldapsearch add-on seems to be working correctly since it can connect to my AD using the "test" button in the app's configuration page.
I am not sure where should I start looking for clues, but I noticed the searches for the dashboards are not working with specific field values (like eventtype=powershell ), I've checked this listing and opening the objects of the app and copied/pasted some of the searches into a search windows; nevertheless, if a precede the searches with eventtype=* they work flawlessly for all fields that have already indexed data, which is really odd. The format I MUST use all times in order to get anything is:
eventtype=* eventtype=powershell sourcetype="blah blah blah..." | stats (more blah blah blah)
The data surely is coming in, since today we reached our daily limit for index data (500 MB trial license) again and the main data is coming from the AD server and going to the indexes of the related apps, I've checked it in "license usage" and in the date for the newest events in the indexes.
Any ideas? I was trying to help a client that has the exact same issue, only for him it is an enterprise environment, mine is just a lab. I thought I would be lucky, install everything and then just show up the answer to the client, but it seems there is more to it than meets the eye, sort of. I've already double-checked the app documentation to see if I didn't skip any important steps, but it seems it has all been done by the book, so where is the catch? The client is not happy and Splunk is not looking good for him, I would like to avoid a negative review, even if they do not buy the product it would be nice if they do not spread a bad word about it, coz they are BIG, nay HUGE and they get HEARD around here...
... View more