Cant get any Data from this, setting it up with a 1 deployment app, 1 search head and 2 clustered indexers. Worked through the 'Get Windows Data' and noticed a comment on the document - http://docs.splunk.com/Documentation/MSApp/latest/MSInfra/Confirmandtroubleshootdatacollection
"After running thru the install, I wasn't receiving events in my indexes. It appears that the input.conf from the Splunk Add-on for Windows and the indexes.conf from the Splunk App for Windows Infrastructure don't match up.
Inputs.conf from the Splunk Add-on for Windows, which I deployed to my Universal Forwarder sends the events to an index called wineventlog, but the indexes.conf file that is copied to C:\Program Files\Splunk\etc\system\local\ during the indexer setup step doesn't create that index. It only creates MSAD, PERFMON, & WINEVENTS.
I also have events on the input.conf from the Splunk Add-on for Windows that are trying to hit an index called WINDOWS.
I guess I may need to tweak either the indexes.conf file or the inputs.conf file so that the events can be correctly indexed? If I change one will it break something else?(dashboards)
BWWB
August 28, 2015"
Can anyone verify if this is the problem? I have continued onto the 'Get Active Directory Data' section and the input.conf file for this app does reference the MSAD, PERFMON, & WINEVENTS. indexes but still no data appears. Will the fact i dont have a licence installed have anything to do with this?
Thanks in advance,
Jay
↧