All Apps and Add-ons

Active Directory Returning duplicated events?

Loves-to-Learn Lots

So we're having this issue where all of our active directory events are coming back as having multiple duplicates of the same event. We had an issue with the Service accounts splunk used but all the domains we want to query can be queried now. Confirmed via ldaptestconnection.

But this is specifically happening with searches relating to ldapfilter, below is the search we use,

Note : the ldap_doamins.csv contains all the domains we have and what splunk so search.

| inputlookup ldap_domains.csv WHERE enabled=1
| fields - enabled
| ldapfilter search="(&(memberOf:1.2.840.113556.1.4.1941:=CN=Backup Operators,CN=Builtin,$baseDN$))" domain=$domain$ attrs="name,sAMAccountName,objectCategory,objectClass,objectSID"
| tojson
| eval _raw = replace(_raw,"^{","{\"query_type\":\"activedirectory:admin_groups\",\"taskid\":\"".now()."\",\"admin_group_dn\":\"CN=Backup Operators,CN=Builtin,".baseDN."\",")
| eval _raw = replace(_raw,"\:\[\]",":\"\"")
| foreach *
| eval _raw=replace(_raw,"<<FIELD>>", lower("<<FIELD>>"))
| fields _raw
| collect `activedirectory_index` output_format=hec

Labels (1)
0 Karma
Get Updates on the Splunk Community!

Splunk APM & RUM | Upcoming Planned Maintenance

There will be planned maintenance of the streaming infrastructure for Splunk APM and Splunk RUM in the coming ...

Part 2: Diving Deeper With AIOps

Getting the Most Out of Event Correlation and Alert Storm Detection in Splunk IT Service Intelligence   Watch ...

User Groups | Upcoming Events!

If by chance you weren't already aware, the Splunk Community is host to numerous User Groups, organized ...