I am working to set up a POC of Splunk with Active Directory, and so far have the UF installed on one DC. Data is coming in, lots of data in fact, and everything seems to be working except for some of the reports. I believe it's related to pulling information from LDAP that isn't working, and I'm unsure why.
For example, Security > Audit > User Audit
As soon as I open this report, I get two notification bars at the top. The first is: [subsearch]: No matching fields exist
and the second is: No matching fields exist
and no data will load in this report, except for Failed Logon Activity. No matter what user I search for, or even without typing in a user, this is the behavior that I am getting.
I have the same issue on the Computer Audit report, as well, and I'd assume all the audit related reports.
I've checked the SA-ldapsearch log, which has nothing in it. What other logs should I be looking in?