topic Re: Active Directory inputs missing SYNC event types after 6.2.1 upgrade? in Getting Data In

Active Directory inputs missing SYNC event types after 6.2.1 upgrade?

mcrawford44 — Thu, 09 Jul 2015 20:29:42 GMT

As the question above states;

Since the 6.2.1 update of Splunk, our active directory inputs are no longer gathering 'admonEventType=Sync' events.

Sync events are the main meat of the AD indexes, containing the actual listing for objects.

Our last _time entry is 12/16/2014 around 10am, immediately after the 6.2.1 update.

The other 3 admonEventTypes are still collected. Start, Scheme, update.

I have recreated the inputs on 2 servers in different location, and the same behavior remains. Only 3 of the event types are being collected.

mcrawford44 — Fri, 17 Jul 2015 19:55:03 GMT

Splunk support was able to replicate this bug and have submitted a ticket; SPL-104212

Awaiting response, and I will post any remediation steps here.

corey_dick — Fri, 22 Jan 2016 19:57:16 GMT

The solution is to remove the following line from the admon stanza in inputs.conf file in the system\default folder:

baseline=0

Adding baseline=1 to the inputs.conf in the system\local folder has no effect from what I could see. This issue effects all versions of 6.2 and 6.3.