Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: Splunk App for Windows Infrastructure AD issue
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm trying to get the Splunk App for Windows Infrastructure working (works for windows events but nothing else) and I'm running into some problems with AD. I believe I have everything setup correctly. I can search AD, for example, |ldapsearch domain=DOMAIN search="(cn=Administrator)" returns a result. However, when I do this search eventtype=msad-dc-health it returns nothing. And when I try to run one of the macros, like domain-list|dedup host|outputlookup DomainList.csv, it returns Error in 'SearchParser': Could not find macro 'domain-list' that takes 0 arguments. Expecting stanza name 'domain-list'. What am I doing wrong? I've also tried the legacy AD app without success. All the prerequisites appear to be met. Nothing ever populates in the apps AD queries. Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fix by Splunk support. There was an issue with the newest version of the Active Directory app.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fix by Splunk support. There was an issue with the newest version of the Active Directory app.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
have you verified your ldapsearch is working properly? Specifically the SA-ldapsearch addon required?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I did. That is working fine. I can search AD and AD changes are being indexed.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you deployed the TAs for active directory monitoring?
Specifically: TA-DNSServer-NT5 TA-DNSServer-NT6 TA-DomainController-2012R2 TA-DomainController-NT5 TA-DomainController-NT6 (as appropriate)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the reply. I do have those setup in local folders... I think correctly. Any reason why I would be getting this error Error in 'SearchParser': Could not find macro 'domain-list' that takes 0 arguments. Or anything else you can think of that I might be missing? I went through the setup docs very closely. Thanks!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Splunk Community Badges!
How to find the worst searches in your Splunk environment and how to fix them
Share Your Feedback: On Admin Config Service (ACS)!
