https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-App-for-Windows-Infrastructure-AD-issue/m-p/121499#M9366 <P>I'm trying to get the Splunk App for Windows Infrastructure working (works for windows events but nothing else) and I'm running into some problems with AD. I believe I have everything setup correctly. I can search AD, for example, |ldapsearch domain=DOMAIN search="(cn=Administrator)" returns a result. However, when I do this search eventtype=msad-dc-health it returns nothing. And when I try to run one of the macros, like <CODE>domain-list</CODE>|dedup host|outputlookup DomainList.csv, it returns Error in 'SearchParser': Could not find macro 'domain-list' that takes 0 arguments. Expecting stanza name 'domain-list'. What am I doing wrong? I've also tried the legacy AD app without success. All the prerequisites appear to be met. Nothing ever populates in the apps AD queries. Thanks.</P> Sun, 06 Apr 2014 20:10:13 GMT zwillis24 2014-04-06T20:10:13Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-App-for-Windows-Infrastructure-AD-issue/m-p/121499#M9366 <P>I'm trying to get the Splunk App for Windows Infrastructure working (works for windows events but nothing else) and I'm running into some problems with AD. I believe I have everything setup correctly. I can search AD, for example, |ldapsearch domain=DOMAIN search="(cn=Administrator)" returns a result. However, when I do this search eventtype=msad-dc-health it returns nothing. And when I try to run one of the macros, like <CODE>domain-list</CODE>|dedup host|outputlookup DomainList.csv, it returns Error in 'SearchParser': Could not find macro 'domain-list' that takes 0 arguments. Expecting stanza name 'domain-list'. What am I doing wrong? I've also tried the legacy AD app without success. All the prerequisites appear to be met. Nothing ever populates in the apps AD queries. Thanks.</P> Sun, 06 Apr 2014 20:10:13 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-App-for-Windows-Infrastructure-AD-issue/m-p/121499#M9366 zwillis24 2014-04-06T20:10:13Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-App-for-Windows-Infrastructure-AD-issue/m-p/121500#M9367 <P>Have you deployed the TAs for active directory monitoring?</P> <P>Specifically: TA-DNSServer-NT5 TA-DNSServer-NT6 TA-DomainController-2012R2 TA-DomainController-NT5 TA-DomainController-NT6 (as appropriate)</P> Fri, 11 Apr 2014 20:04:25 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-App-for-Windows-Infrastructure-AD-issue/m-p/121500#M9367 dbylertbg 2014-04-11T20:04:25Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-App-for-Windows-Infrastructure-AD-issue/m-p/121501#M9368 <P>Thanks for the reply. I do have those setup in local folders... I think correctly. Any reason why I would be getting this error Error in 'SearchParser': Could not find macro 'domain-list' that takes 0 arguments. Or anything else you can think of that I might be missing? I went through the setup docs very closely. Thanks!</P> Fri, 11 Apr 2014 22:50:37 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-App-for-Windows-Infrastructure-AD-issue/m-p/121501#M9368 zwillis24 2014-04-11T22:50:37Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-App-for-Windows-Infrastructure-AD-issue/m-p/121502#M9369 <P>have you verified your ldapsearch is working properly? Specifically the SA-ldapsearch addon required? </P> Wed, 16 Apr 2014 12:26:26 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-App-for-Windows-Infrastructure-AD-issue/m-p/121502#M9369 dwithers 2014-04-16T12:26:26Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-App-for-Windows-Infrastructure-AD-issue/m-p/121503#M9370 <P>I did. That is working fine. I can search AD and AD changes are being indexed.</P> Wed, 16 Apr 2014 18:29:23 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-App-for-Windows-Infrastructure-AD-issue/m-p/121503#M9370 zwillis24 2014-04-16T18:29:23Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-App-for-Windows-Infrastructure-AD-issue/m-p/121504#M9371 <P>Fix by Splunk support. There was an issue with the newest version of the Active Directory app.</P> Thu, 24 Apr 2014 09:35:50 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-App-for-Windows-Infrastructure-AD-issue/m-p/121504#M9371 zwillis78 2014-04-24T09:35:50Z