Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: SA-ldapsearch issue?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SA-ldapsearch issue?
I am working to set up a POC of Splunk with Active Directory, and so far have the UF installed on one DC. Data is coming in, lots of data in fact, and everything seems to be working except for some of the reports. I believe it's related to pulling information from LDAP that isn't working, and I'm unsure why.
For example, Security > Audit > User Audit
As soon as I open this report, I get two notification bars at the top. The first is:
[subsearch]: No matching fields exist
and the second is:
No matching fields exist
and no data will load in this report, except for Failed Logon Activity. No matter what user I search for, or even without typing in a user, this is the behavior that I am getting.
I have the same issue on the Computer Audit report, as well, and I'd assume all the audit related reports.
I've checked the SA-ldapsearch log, which has nothing in it. What other logs should I be looking in?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Solved my issue.
My binddn value was incorrect. 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you install and configure the standalone SA-LDAP app? If so, check your AD logs to see if the user you are using to bind with is even authenticating.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I do not have access to view AD logs, so I won't be able to check on this for another hour or so.
Something odd has happened though; SA-ldapsearch.log is not in English, but instead in some sort of symbols. Chinese maybe?
Is there any other log files that I should be looking to for this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry, I just short the name off the top of my head, I was talking about the SA-ldapsearch app. Do you see anything in your AD logs showing this app authenticating with the user you configured in local/ldap.conf file?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm not familiar with the SA-ldap app, actually, so I don't think I have it installed. I have SA-ldapsearch, though.
Can you provide me a link to it so I can install it?
Does my issue sound like it's authentication related?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
