All Apps and Add-ons
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Does the Splunk Add-on for Windows Include the Supporting Add-on for AD?

ross_sd
Explorer
‎03-03-2021 09:37 AM

I have Splunk Cloud and on here I have the Splunk App for Windows Infrastructure installed. I also have the Splunk Supporting Add-on for Active Directory installed (which I was told was needed) on Splunk Cloud. However, I'm not so sure this is correct because the configuration of this supporting Add-on looks very much like it needs to be within my local network.

In my local network, I have a domain controller with the Splunk Add-on for Microsoft Windows installed and this is sending data to my Splunk Cloud indexes. However, some of my dashboards display errors like this: 

[subsearch]: External search command 'ldapsearch' returned error code 1. Script output = "error_message=Cannot find the configuration stanza for domain=MYDOMAIN in ldap.conf. "

I've been reading through the docs again and it seems like I need to have LDAP searches configured and working which appear to be part of the Supporting Add-on for Active Directory. However, another post I read said that the Splunk Add-on for Microsoft Windows removes the need for this supporting add-on. 

I'm wholly confused at the moment. Can someone clear this up for me? I just want to get all data working correctly on the Splunk App for Windows Infrastructure hosted in my Splunk Cloud environment. Documentation just feels like an utter minefield. 

Am I missing an app on my local server or have I missed a piece of key config on the Splunk Add-on for Microsoft Windows App?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎03-04-2021 05:24 AM

Yes, the documentation could be better.

Yes, you can collect the data locally and forward it to Splunk Cloud.  That is common, however, it does not fix the ldapsearch command.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎03-03-2021 11:24 AM

The ldapsearch command cannot be run from Splunk Cloud because SC does not have access to your AD service.  You'll have to ignore the dashboard panels that use ldapsearch.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

ross_sd
Explorer
‎03-03-2021 11:06 PM

Right I see.. Surely there could be something at the start of the documentation in bold that says "XYZ functionality is not available in Splunk Cloud".

Could this be achieved by collecting the data locally via an on-prem instance and then forwarding it to my Splunk Cloud?

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎03-04-2021 05:24 AM

Yes, the documentation could be better.

Yes, you can collect the data locally and forward it to Splunk Cloud.  That is common, however, it does not fix the ldapsearch command.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

ross_sd
Explorer
‎03-04-2021 05:25 AM

Thanks Rich. 

Seems like another limitation amongst quite a lot I've found with Splunk Cloud.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎03-04-2021 06:56 AM

Limitations should be expected when you're using someone else's computer.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

ross_sd
Explorer
‎03-04-2021 07:01 AM

And said owner (account manager/sales rep in this case) of computer should sell it clearly stating said limitations rather than saying X can do everything Y can do but in a more simplistic offering.

 

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎03-04-2021 07:14 AM

It's true Splunk could do more to let users know about the limitations of Splunk Cloud.  Also, one should not put too much stock in the technical information provided by sales people.

BTW, some differences are published at https://docs.splunk.com/Documentation/SplunkCloud/8.1.2101/Service/SplunkCloudservice#Differences_be...

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

ross_sd
Explorer
‎03-04-2021 07:20 AM

Oh don't worry I know about sales people. This was one bit of procurement I was not involved in, I'm simply the techy doing the implementation. I was however involved in an account management catchup call and the term 'professional services' was used 16 times in less than 25 minutes (my colleague and I had a bet on how many times they would push it). Either way, greater clarity is needed in both the documentation and the way it's sold. At the moment, Splunk Cloud just feels like a product pushed out quickly for the sake of casting a wider sales net.

Anyway, I appreciate the insight and good to know I need not waste any more time on this particular aspect! That's me over and out!

0 Karma
Reply
Get Updates on the Splunk Community!

Bridging the Gap: Splunk Helps Students Move from Classroom to Career

The Splunk Community is a powerful network of users, educators, and organizations working together to tackle ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...
li.common.scroll-to.top