DsBind failed

adamblock1 · ‎06-20-2014

A few days I upgraded my Splunk servers (Deployment/license server, search head, indexers, heavy forwarder) from version 5.0.5 to 5.0.8. While reviewing the splunkd.log file on one of the indexer servers, I noticed a large number of warnings which state "WinEventLogChannel - connectToDC: DsBind failed: (1722)'No such host is known.'"

The indexer appears to be receiving logs properly.

Any assistance would be appreciated.

Thank you.

chanfoli · ‎10-01-2015

If you are seeing these errors with a basic event logging setup and you don't have your universal forwarders talking to AD to resolve AD objects in events, you might want to try this in your inputs.conf:

evt_resolve_ad_obj = 0

This tells the forwarder not to try to resolve AD objects. The default with this input type is to do so but if you don't set up the AD binding with evt_dc_name or evt_dns_name it does not work so you will see tons of these errors.

DsBind failed

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation

DsBind failed

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future