topic Re: lookup problem with ms windows ad project in All Apps and Add-ons

Need help with lookup problem with ms windows ad project

hichem_khalfi — Tue, 01 Mar 2022 16:44:31 GMT

I'm new with splunk, I installed app ms windows ad object but in order to fix the shared points:
First: Add an automatic lookup for source XMLWinEventLog:Security using the AD_Audit_Change_EventCodes lookup.
In the MS Windows AD Objects app, navigate to Settings - - > Lookups - - > Automatic Lookups.
Click New Automatic Lookup
Enter the following:
Name: ms_ad_obj_wrkaround_msad_action
Source: XmlWinEventLog:Security
Lookup Input Fields:
EventCode = EventCode
obj_type = obj_type
Lookup output Fields:
change_action = change_action
Click Save
Set the permissions to the app and role permissions

I did what is asked but I still get the message:
Could not load lookup=LOOKUP-ms_ad_obj_wrkaround_msad_action

with a failure for some functionalities of the application

Re: lookup problem with ms windows ad project

gcusello — Tue, 01 Mar 2022 12:43:52 GMT

Hi @hichem_khalfi,

I don't love automatic lookups because sometimes they don't work and anyway it's more difficoult to debug code when there's a problem.

Anyway, before to create an automatic lookup, you have to create a lookup and test it; automatic lookup is only a rule but it doesn't create the lookup.

Did you cretead the lookup and the lookup definition?

Ciao.

Giuseppe

Re: lookup problem with ms windows ad project

hichem_khalfi — Tue, 01 Mar 2022 12:52:17 GMT

no, i did what the app owners asked

Re: lookup problem with ms windows ad project

gcusello — Tue, 01 Mar 2022 13:01:52 GMT

Hi @hichem_khalfi,

Ok check if the lookup and the lookup definition of ms_ad_obj_wrkaround_msad_action are defined or not.

Ciao.

Giuseppe

Re: lookup problem with ms windows ad project

hichem_khalfi — Tue, 01 Mar 2022 13:09:14 GMT

@gcusello

i c'ant fin ms_ad_obj_wrkaround_msad_action on Lookup definitions

Re: lookup problem with ms windows ad project

gcusello — Tue, 01 Mar 2022 13:16:47 GMT

Hi @hichem_khalfi,

as I said, the problem is that you want to create an automatic lookup without create lookup and lookup definition before.

Check the documentation.

Maybe you are only using a wrong name.

Ciao.

Giuseppe

Re: lookup problem with ms windows ad project

hichem_khalfi — Tue, 01 Mar 2022 13:35:39 GMT

please read: that what i did exactly , i havent LOOKUP-ms_ad_obj_wrkaround_msad_action from the begin and i create it as the app owner told

IMPORTANT - XMLWinEventLog - msad_action field extraction - Work Around

There is a current issue where the msad_action field is not being extracted by the Splunk AddOn for Windows for XMLWinEventLogs. This field is heavily leveraged by this application, so below is a workaround until the TA is fixed, or a new version of this app is released.

First: Add an automatic lookup for source XMLWinEventLog:Security using the AD_Audit_Change_EventCodes lookup.

In the MS Windows AD Objects app, navigate to Settings - - > Lookups - - > Automatic Lookups.
Click New Automatic Lookup
Enter the following:
- Name: ms_ad_obj_wrkaround_msad_action
- Source: XmlWinEventLog:Security
- Lookup Input Fields:
  - EventCode = EventCode
  - obj_type = obj_type
- Lookup output Fields:
  - change_action = change_action
- Click Save
- Set the permissions to the app and role permissions

Second: Update the source::XmlWinEventLog:Security : EVAL-msad_action calculated field in the MS Windows AD Objects app.

In the MS Windows AD Objects app, navigate to Settings - - > Fields - - > Calculated Fields
In the Search box, type msad_action
Click on the source::XmlWinEventLog:Security : EVAL-msad_action
Replace the Eval Expression:
- From: if(msad_action=“change” OR msad_action=“changed” OR msad_action=“set” OR msad_action=“reset”,“modified”,if(msad_action=“add”,“added”,if(EventID=“4722",“enabled”,msad_action)))
- To: if(isnull(change_action),if(msad_action=“change” OR msad_action=“changed” OR msad_action=“set” OR msad_action=“reset”,“modified”,if(msad_action=“add”,“added”,if(EventID=“4722”,“enabled”,msad_action))),change_action)
Click Save

Re: lookup problem with ms windows ad project

gcusello — Tue, 01 Mar 2022 15:06:27 GMT

Hi @hichem_khalfi,

I haven't this app so I cannot test it, but the instruction seems to be clear:

did you created the Automatic Lookup and the calculated field in the same App or outside it?

did you give the grants to the automatic lookup and the calculated field?

If you don't reach to solve the problem, you can contact the developer (there's a link in https://splunkbase.splunk.com/app/3177/ )

Ciao.

Giuseppe