MS Windows AD Objects: Why won't lookups build?

cdasong · ‎08-25-2022

I recently re-installed MS Windows AD Objects app due to some issues. After the re-install, I tried the lookups build configuration wizard, but it doesn't seem to build lookups even though wizard ran successfully with all green "successful" message.

I tried reseting the admon baseline, adding manual domain input but still no luck. Indexes look correct, log is still getting ingested,

I used pre-defined TA inputs.conf files, mainly working with 1 DC. This DC has below apps.
Splunk_TA_windows
Splunk_TA_windows_dc
Splunk_TA_windows_admon

Main lookup i'm trying to build is 'AD_User_LDAP_list' as my searches with this lookup shows error message "The lookup table 'AD_User_LDAP_list' requires a .csv or KV store lookup definition."

Can somebody point me to the right direction to fix this issue?

gcusello · ‎08-26-2022

Hi @cdasong,

check the lookup building scheduled searches, ofter in these searches there isn't the index to use and requires a little customization.

The other solution is to put all the indexes in the default path for searches, but I don't like because in this way you have slower searches.

Ciao.

Giuseppe

MS Windows AD Objects: Why won't lookups build?

configuration

troubleshooting

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms