All Apps and Add-ons

Splunk Add-on for Active Directory 2.2.0 Returns No Results and Error "

trav271
Explorer

I'm trying to setup the add-on currently on a HF and for what should be a simple setup, this is a massive pain.

The HF is setup to forward the data on to the indexer as a receiver. And the app is installed with no permission issues. Here's the syntax of what I put into the UI to set this up:

Domain Name: domain.net
Alternate Domain Name: DOMAIN

Base DN: DC=domain,DC=net

Hostname: ex-dc-host-domain.net
Port: 636
SSL: Enabled

Bind DN: CN=splunk,OU=SomeTypeOfAccount,OU=DomainInternal,DC=domain,DC=net
Password: provided_password

When I go to test the connection all I see is:

Result
No results found.

Error
"

Has anyone seen this and knows what that rather unhelpful error message means? I've looked around but can't find anyone else with this issue and there is a LOT of conflicting documentation on this app out there due to deprecation and all kinds of nonsense. I used the following link to set this up:

https://docs.splunk.com/Documentation/SA-LdapSearch/2.2.0/User/DeploytheSplunkSupportingAdd-onforAct...

The app is installed on the HF and the Indexers, it's a clustered indexer env, no SHC. Any help is massively appreciated.

Tags (1)
0 Karma
1 Solution

trav271
Explorer

Ended up solving this myself. My solution is to tell people not to use the GUI for this as it does a very poor job on returning the actual error for you to begin tracking the issue down. What's best is to just use the config files, then test in the search bar yourself but ENABLE DEBUGGING in the search bar. The errors that are returned are far more useful. In the end after making my changes I'd then go to my HF and run

| ldaptestconnection domain=domain.net debug=true

The results this returned allowed me to very quickly diagnose a DNS issue and fix within minutes. It would be nice if the devs would make the test-connection actually return the error results and also run in debug since that is likely what you want to see when testing. shrug

View solution in original post

0 Karma

trav271
Explorer

Ended up solving this myself. My solution is to tell people not to use the GUI for this as it does a very poor job on returning the actual error for you to begin tracking the issue down. What's best is to just use the config files, then test in the search bar yourself but ENABLE DEBUGGING in the search bar. The errors that are returned are far more useful. In the end after making my changes I'd then go to my HF and run

| ldaptestconnection domain=domain.net debug=true

The results this returned allowed me to very quickly diagnose a DNS issue and fix within minutes. It would be nice if the devs would make the test-connection actually return the error results and also run in debug since that is likely what you want to see when testing. shrug

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...