All Apps and Add-ons

How to use indexes with names other than msad for the MS Windows AD Objects app?

corey_dick
Path Finder

How can you set up the MS Windows AD Objects app to use indexes with names other than msad? I can't find any documentation for that, even though the setup acts like it should work. Trying to use it with admon and some indexes that we have already created.

0 Karma

shogan_splunk
Splunk Employee
Splunk Employee

For the MS Windows AD Objects macros, reports, and Dashboards the index is defined in the ms_ad_obj_msad_data eventtype. There were a few that i unfortunately didn't see still referenced the msad index specifically, which will be updated in the next release to use the ms_ad_obj_msad_data eventtype. Below is the list of searches and dashboards that you will need to update, either by putting in your indexes, or using the ms_ad_obj_msad_data eventtype:
Reports that have index=msad specifically in them: AD Objects - Verify Baseline Data – Overall, and AD Objects - Verify Baseline Data – Completed
Dashboard that uses index=msad in Drilldown Links: AD Object - Lookup Fields Information
To update the eventtype, just navigate to Settings, eventtypes and search for ms_ad_obj_msad. Then update it with your index(s).

Example: (index=yourindex1 OR index=yourindex2 OR index=yourindex3) sourcetype=ActiveDirectory
I will fix the above Reports and Dashboards in the next release. Hopefully this helps you out.

sk314
Builder

how are you getting the data? Are you getting the data using Splunk App for Windows Infra and hte related addons? In that case, the addon's expect those indexes to be present. If you want to change that behavior, you need to make changes to the add-ons. specifically, the inputs.conf in the addons which specify the index that the data needs to be sent to. If not, please give us more information about how your logs are being collected.

0 Karma

corey_dick
Path Finder

Using admon which indexes the AD object data into several indices as we have several domains within our environment.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...