All Apps and Add-ons

No result in active directoy app

sd100
Explorer

Hello, i spent some time configuring my active directoy app, but no results are coming up from the dashboard. every graph say : "no results found"
If i remove 'host!="*" ' from a search (let say : the security->logon failed search) : I DO get a result. Same thing happens on some other search.

Log are coming in correctly : logs are coming from a forwarder with TA_addon going to "winevents" index (i changed the inputs.conf). On the indexer : TA_addon is installed but not configured, sa_ldapsearch is installed and configured, Activedirectory app is installed and searching in winevents index (i changed the eventypes.conf).

Version used of TA_ADDON is 4.6, Activedirectory : 1.1.3

Should i modify the app to remove host!="*" in every search?? Any idea what i'm doing wrong?

Thanks

1 Solution

MarioM
Motivator

Make sure you have the right TA (NT5 > win2003,NT6 win2008) in the domain controller's splunk forwarder :

TA-DNSServer-NT5
TA-DNSServer-NT6
TA-DomainController-NT5
TA-DomainController-NT6

You can find them in splunk\etc\apps\Splunk_for_ActiveDirectory\appserver\addons

View solution in original post

0 Karma

sd100
Explorer

In dashboard : Security->user logon failures : the graphs are empty : "no results found. inspect...", if i click on inspect, the search contains this host!="". If i copy/paste this search WITHOUT the host!="", i'm getting a result
But i guess the trouble is elsewhere : the upper part of the dashboard is empty (in Forest, domain,..).
Part of the answer is that my forwarder on my domain controller only contains the TA_windows app
I forgot to add the apps TA-DNSServer-NT6 and TA-DomainController-NT6 on the domain controller
(you get them in active_directory/appserver/addons on your indexer)

MarioM
Motivator

Make sure you have the right TA (NT5 > win2003,NT6 win2008) in the domain controller's splunk forwarder :

TA-DNSServer-NT5
TA-DNSServer-NT6
TA-DomainController-NT5
TA-DomainController-NT6

You can find them in splunk\etc\apps\Splunk_for_ActiveDirectory\appserver\addons

0 Karma

sd100
Explorer

Copied the app on the domain controller' forwarder, restarted the service, and boom : graphs are OK, domain and site appear at the top of active directory app... Great thanks

0 Karma

MarioM
Motivator

where do you have this host!="*" because i cannot find it in any of the app's conf file?

0 Karma
Get Updates on the Splunk Community!

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...

Reminder! Splunk Love Promo: $25 Visa Gift Card for Your Honest SOAR Review With ...

We recently launched our first Splunk Love Special, and it's gone phenomenally well, so we're doing it again, ...