All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to use indexes with names other than msad for the MS Windows AD Objects app?

corey_dick
Path Finder
‎06-27-2016 10:58 AM

How can you set up the MS Windows AD Objects app to use indexes with names other than msad? I can't find any documentation for that, even though the setup acts like it should work. Trying to use it with admon and some indexes that we have already created.

0 Karma
Reply

shogan_splunk
Splunk Employee
Splunk Employee
‎07-03-2016 09:48 PM

For the MS Windows AD Objects macros, reports, and Dashboards the index is defined in the ms_ad_obj_msad_data eventtype. There were a few that i unfortunately didn't see still referenced the msad index specifically, which will be updated in the next release to use the ms_ad_obj_msad_data eventtype. Below is the list of searches and dashboards that you will need to update, either by putting in your indexes, or using the ms_ad_obj_msad_data eventtype:
Reports that have index=msad specifically in them: AD Objects - Verify Baseline Data – Overall, and AD Objects - Verify Baseline Data – Completed
Dashboard that uses index=msad in Drilldown Links: AD Object - Lookup Fields Information
To update the eventtype, just navigate to Settings, eventtypes and search for ms_ad_obj_msad. Then update it with your index(s).

Example: (index=yourindex1 OR index=yourindex2 OR index=yourindex3) sourcetype=ActiveDirectory
I will fix the above Reports and Dashboards in the next release. Hopefully this helps you out.

Reply

sk314
Builder
‎06-27-2016 11:09 AM

how are you getting the data? Are you getting the data using Splunk App for Windows Infra and hte related addons? In that case, the addon's expect those indexes to be present. If you want to change that behavior, you need to make changes to the add-ons. specifically, the inputs.conf in the addons which specify the index that the data needs to be sent to. If not, please give us more information about how your logs are being collected.

0 Karma
Reply

corey_dick
Path Finder
‎06-29-2016 11:44 AM

Using admon which indexes the AD object data into several indices as we have several domains within our environment.

0 Karma
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...