https://community.splunk.com/t5/Splunk-Enterprise/Help-on-AD-monitoring-with-Splunk/m-p/565889#M9868 <P>Hi</P><P>Thanks for your explanation on&nbsp;<SPAN>Active Directory add on</SPAN></P><P>Just another question&nbsp;</P><P>Is it also possible to use a DB connect and to link it with the AD forest and to export events in a KV Store lookup?</P> Sat, 04 Sep 2021 06:35:06 GMT jip31 2021-09-04T06:35:06Z https://community.splunk.com/t5/Splunk-Enterprise/Help-on-AD-monitoring-with-Splunk/m-p/565732#M9859 <P>Hi</P><P>I try to list the different way to collect Active Directory in Splunk</P><P>Except if I am mistaken there is 2 main way to do that :</P><OL><LI><FONT size="3">Using the Splunk Supporting Add-on for Active Directory:&nbsp;&nbsp;<A title="https://splunkbase.splunk.com/app/1151/" href="https://splunkbase.splunk.com/app/1151/" target="_self">https://splunkbase.splunk.com/app/1151/</A>&nbsp;</FONT></LI><LI><FONT size="3"><SPAN>Using the splunk-admon.exe process&nbsp;</SPAN></FONT></LI></OL><P><FONT size="3"><SPAN>Is it true? What are the advantages and disadvantages of these solutions please?</SPAN></FONT></P><P><FONT size="3"><SPAN>Is it also possible to install a connector between Splunk and AD in order to store the AD events in a KV Store?</SPAN></FONT></P><P><FONT size="3"><SPAN>Thanks in advance</SPAN></FONT></P> Fri, 03 Sep 2021 04:06:15 GMT https://community.splunk.com/t5/Splunk-Enterprise/Help-on-AD-monitoring-with-Splunk/m-p/565732#M9859 jip31 2021-09-03T04:06:15Z https://community.splunk.com/t5/Splunk-Enterprise/Help-on-AD-monitoring-with-Splunk/m-p/565768#M9861 <P>Hi <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/102660">@jip31</a>&nbsp;,</P><P>Splunk recommends using the Active Directory add on. It's much faster, efficient and easy to debug, if you encounter issues on it.</P><P>It gives you a connection with the AD forest. After that, all you need to do is to configure a simple search to query the data and outputlookup into a KVStore lookup, just what you're looking for.</P><P>Hope this helps.</P><P>Thanks,</P><P>S</P><P>***If this helped, please accept it as a solution. It helps others to find the solution for similar issues quickly.***</P> Fri, 03 Sep 2021 10:24:08 GMT https://community.splunk.com/t5/Splunk-Enterprise/Help-on-AD-monitoring-with-Splunk/m-p/565768#M9861 shivanshu1593 2021-09-03T10:24:08Z https://community.splunk.com/t5/Splunk-Enterprise/Help-on-AD-monitoring-with-Splunk/m-p/565889#M9868 <P>Hi</P><P>Thanks for your explanation on&nbsp;<SPAN>Active Directory add on</SPAN></P><P>Just another question&nbsp;</P><P>Is it also possible to use a DB connect and to link it with the AD forest and to export events in a KV Store lookup?</P> Sat, 04 Sep 2021 06:35:06 GMT https://community.splunk.com/t5/Splunk-Enterprise/Help-on-AD-monitoring-with-Splunk/m-p/565889#M9868 jip31 2021-09-04T06:35:06Z https://community.splunk.com/t5/Splunk-Enterprise/Help-on-AD-monitoring-with-Splunk/m-p/565903#M9871 <P>I believe you can query AD using SQL commands, so technically it is possible. I'd consult with the server team and see if they are okay with it.&nbsp;</P><P>To pipe the data into a KVStore using DBconnect is a big pain in the rear end. You'll have to do the following:</P><P>1. Create a search using dbquery command and get the desired output from AD forest.</P><P>2. Use outputlookup to put the data into KVStore.</P><P>3. Save the search as scheduled search to keep the process going.</P><P>Hope this helps.</P><P>Thank you,</P><P>S</P><P>***If this helped, please accept it as a solution. It helps others to find the solution for similar issues quickly.***</P> Sat, 04 Sep 2021 12:03:18 GMT https://community.splunk.com/t5/Splunk-Enterprise/Help-on-AD-monitoring-with-Splunk/m-p/565903#M9871 shivanshu1593 2021-09-04T12:03:18Z