All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

[SA-ldapsearch] Intermittent Error on AD Identity Update

morethanyell
Builder
‎06-19-2019 07:38 PM

Hi,

We're getting an inconsistent failure on a savedsearch that comes pre-packaged with the add-on "Splunk Supporting Add-on for Active Directory". Our config is intact and has been tested connection with positive result.

This is the code of the saved search:

|ldapsearch domain=redacted.of.course search="(&(objectclass=user)(!(objectClass=computer)))"
|makemv userAccountControl
|search userAccountControl="NORMAL_ACCOUNT"
|eval suffix=""
|eval priority="medium"
|eval category="normal"
|eval watchlist="false"
|eval endDate="" 
|table sAMAccountName,personalTitle,displayName,givenName,sn,suffix,mail,telephoneNumber,mobile,manager,priority,department,category,watchlist,whenCreated,endDate,company,title,pwdLastSet
|rename sAMAccountName as identity, personalTitle as prefix, displayName as nick, givenName as first, sn as last, mail as email, telephoneNumber as phone, mobile as phone2, manager as managedBy, department as bunit, whenCreated as startDate
| outputlookup createinapp=true mycompany_identities.csv

The error looks like this:
alt text
Tried to search what's going on with the alerts on each schedule but nothing interesting is coming up with internal logs
alt text

Does anybody know what's going on with that error?

Preview file
30 KB
Preview file
44 KB
0 Karma
Reply

amitm05
Builder
‎06-19-2019 11:05 PM

@morethanyell
This seems to be a connectivity problem as your error states
"Transport endpoint is not connected" and it is throwing a Timeout expiration exception.

Can you validate by performing the basic connectivity tests of your LDAP server from your splunk instance.
Ping, Telnet

And then first try to confirm for basic LDAP search like-
| ldapsearch domain=SPL search="(objectClass=user)"

0 Karma
Reply

amitm05
Builder
‎06-21-2019 01:02 AM

Can you apprise the status OR mark as answer if already resolved.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...