All Apps and Add-ons

No result in active directoy app

sd100
Explorer

Hello, i spent some time configuring my active directoy app, but no results are coming up from the dashboard. every graph say : "no results found"
If i remove 'host!="*" ' from a search (let say : the security->logon failed search) : I DO get a result. Same thing happens on some other search.

Log are coming in correctly : logs are coming from a forwarder with TA_addon going to "winevents" index (i changed the inputs.conf). On the indexer : TA_addon is installed but not configured, sa_ldapsearch is installed and configured, Activedirectory app is installed and searching in winevents index (i changed the eventypes.conf).

Version used of TA_ADDON is 4.6, Activedirectory : 1.1.3

Should i modify the app to remove host!="*" in every search?? Any idea what i'm doing wrong?

Thanks

1 Solution

MarioM
Motivator

Make sure you have the right TA (NT5 > win2003,NT6 win2008) in the domain controller's splunk forwarder :

TA-DNSServer-NT5
TA-DNSServer-NT6
TA-DomainController-NT5
TA-DomainController-NT6

You can find them in splunk\etc\apps\Splunk_for_ActiveDirectory\appserver\addons

View solution in original post

0 Karma

sd100
Explorer

In dashboard : Security->user logon failures : the graphs are empty : "no results found. inspect...", if i click on inspect, the search contains this host!="". If i copy/paste this search WITHOUT the host!="", i'm getting a result
But i guess the trouble is elsewhere : the upper part of the dashboard is empty (in Forest, domain,..).
Part of the answer is that my forwarder on my domain controller only contains the TA_windows app
I forgot to add the apps TA-DNSServer-NT6 and TA-DomainController-NT6 on the domain controller
(you get them in active_directory/appserver/addons on your indexer)

MarioM
Motivator

Make sure you have the right TA (NT5 > win2003,NT6 win2008) in the domain controller's splunk forwarder :

TA-DNSServer-NT5
TA-DNSServer-NT6
TA-DomainController-NT5
TA-DomainController-NT6

You can find them in splunk\etc\apps\Splunk_for_ActiveDirectory\appserver\addons

0 Karma

sd100
Explorer

Copied the app on the domain controller' forwarder, restarted the service, and boom : graphs are OK, domain and site appear at the top of active directory app... Great thanks

0 Karma

MarioM
Motivator

where do you have this host!="*" because i cannot find it in any of the app's conf file?

0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>