All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk App for Windows Infrastructure: How do I get the domainselector.csv lookup to populate?

brooklynotss
Path Finder
‎04-01-2015 03:32 PM

I can't get any of the Domain portions of the Windows Infrastructure App to work. Trying to find root cause, i noticed my DomainList.csv and DomainSelector.csv lookup files are zero bytes. I found this great blog: http://blogs.splunk.com/2012/10/21/splunk-app-for-active-directory-and-the-top-10-issues/ which says to populate them manually by running these in the search bar:

  1. domain-selector-search|outputlookup DomainSelector.csv
  2. domain-list|dedup host|outputlookup DomainList.csv

but that doesn't do anything. and yes I tried with the ` characters. neither search returns any results...
LDAP searching is working.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

brooklynotss
Path Finder
‎04-01-2015 08:10 PM

Using RSennett's help - used this search:

source=powershell sourcetype sourcetype="MSAD:*:Health" |stats count by DomainNetBIOSName,host|where length(DomainNetBIOSName)>0|rename DomainNetBIOSName as src_nt_domain|table host,src_nt_domain

to determine I had no MSAD Health sourcetype data. So I realized something was up with the powershell scripts that are supposed to be running on my domain controllers and sending their results back to my indexer. Got that resolved - although I have 2012R2 DC's - the NT6 TA was still required. Not sure why that is the case but I guess it didn't like the 2012 version...

Many thanks.

View solution in original post

Reply
Solved! Jump to solution

robjackson
Path Finder
‎08-25-2017 08:33 AM

How does msad-dc-health translates to: eventtype=powershell sourcetype="MSAD:*:Health"?

Returns data:

source=powershell sourcetype="MSAD:*:Health" |stats count by DomainNetBIOSName,host|where length(DomainNetBIOSName)>0|rename DomainNetBIOSName as src_nt_domain|table host,src_nt_domain

Returns nothing:

eventtype=msad-dc-health|stats count by DomainNetBIOSName,host|where length(DomainNetBIOSName)>0|rename DomainNetBIOSName as src_nt_domain|table host,src_nt_domain

0 Karma
Reply
Solved! Jump to solution
Solution

brooklynotss
Path Finder
‎04-01-2015 08:10 PM

Using RSennett's help - used this search:

source=powershell sourcetype sourcetype="MSAD:*:Health" |stats count by DomainNetBIOSName,host|where length(DomainNetBIOSName)>0|rename DomainNetBIOSName as src_nt_domain|table host,src_nt_domain

to determine I had no MSAD Health sourcetype data. So I realized something was up with the powershell scripts that are supposed to be running on my domain controllers and sending their results back to my indexer. Got that resolved - although I have 2012R2 DC's - the NT6 TA was still required. Not sure why that is the case but I guess it didn't like the 2012 version...

Many thanks.

Reply
Solved! Jump to solution

rsennett_splunk
Splunk Employee
Splunk Employee
‎04-01-2015 08:12 PM

Good job. 🙂

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma
Reply
Solved! Jump to solution

rsennett_splunk
Splunk Employee
Splunk Employee
‎04-01-2015 05:55 PM

domain-selector-search is a macro that represents:

eventtype=msad-dc-health|dedup host, DomainNetBIOSName,DomainDNSName,ForestName,Site|table host,DomainNetBIOSName,DomainDNSName,ForestName,Site|sort ForestName,Site,DomainDNSName,host

domain-list represents:

eventtype=msad-dc-health|stats count by DomainNetBIOSName,host|where length(DomainNetBIOSName)>0|rename DomainNetBIOSName as src_nt_domain|table host,src_nt_domain

the eventtype msad-dc-health translates to: eventtype=powershell sourcetype="MSAD:*:Health"

the evenntype powershell translates to : source=powershell

put it all together and you get:

`source=powershell sourcetype sourcetype="MSAD:*:Health" |stats count by DomainNetBIOSName,host|where length(DomainNetBIOSName)>0|rename DomainNetBIOSName as src_nt_domain|table host,src_nt_domain`

Now you have something to run and troubleshoot. I'd run it... and then start backing up, systematically getting rid of each pipe until you're at the first one. that might give you a clue as to what's not happening as it should.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
Reply
Solved! Jump to solution

brooklynotss
Path Finder
‎04-01-2015 07:37 PM

Thanks so much for this. Super helpful. and so results are - sourcetype="MSAD:*:Health" returns nothing. So I realized something was up with the powershell scripts that are supposed to be running on my domain controllers and sending their results back to my indexer. Got that resolved - although I have 2012R2 DC's - the NT6 TA was still required. Not sure why that is the case but I guess it didn't like the 2012 version...

Many thanks.

0 Karma
Reply
Solved! Jump to solution

rsennett_splunk
Splunk Employee
Splunk Employee
‎04-01-2015 08:07 PM

You're welcome. Go ahead and paste your answer into the answers box... and then go back and accept your own answer. It'll earn you some karma points. 🙂

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
Reply
Solved! Jump to solution

ajhstn
Explorer
‎11-06-2018 09:02 PM

Hi @rsennett_splunk when i run the expanded search i get results, however when i just run the macro domain-selector-search or even eventtype=msad-dc-health i get no results.

Where do i start looking next?

0 Karma
Reply
Solved! Jump to solution

rsennett_splunk
Splunk Employee
Splunk Employee
‎11-08-2018 10:01 AM

@ajhstn same as above. you have to open up those macros and run each section, pipe by pipe to see why it's not running in your system. there is something silently failing. You have to reveal what it might be that is unique to your config...

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...