All Apps and Add-ons
Highlighted

Splunk App for Windows Infrastructure: How do I get the domainselector.csv lookup to populate?

Path Finder

I can't get any of the Domain portions of the Windows Infrastructure App to work. Trying to find root cause, i noticed my DomainList.csv and DomainSelector.csv lookup files are zero bytes. I found this great blog: http://blogs.splunk.com/2012/10/21/splunk-app-for-active-directory-and-the-top-10-issues/ which says to populate them manually by running these in the search bar:

  1. domain-selector-search|outputlookup DomainSelector.csv
  2. domain-list|dedup host|outputlookup DomainList.csv

but that doesn't do anything. and yes I tried with the ` characters. neither search returns any results...
LDAP searching is working.

0 Karma
Highlighted

Re: Splunk App for Windows Infrastructure: How do I get the domainselector.csv lookup to populate?

Splunk Employee
Splunk Employee

domain-selector-search is a macro that represents:

eventtype=msad-dc-health|dedup host, DomainNetBIOSName,DomainDNSName,ForestName,Site|table host,DomainNetBIOSName,DomainDNSName,ForestName,Site|sort ForestName,Site,DomainDNSName,host

domain-list represents:

eventtype=msad-dc-health|stats count by DomainNetBIOSName,host|where length(DomainNetBIOSName)>0|rename DomainNetBIOSName as src_nt_domain|table host,src_nt_domain

the eventtype msad-dc-health translates to: eventtype=powershell sourcetype="MSAD:*:Health"

the evenntype powershell translates to : source=powershell

put it all together and you get:

`source=powershell sourcetype sourcetype="MSAD:*:Health" |stats count by DomainNetBIOSName,host|where length(DomainNetBIOSName)>0|rename DomainNetBIOSName as src_nt_domain|table host,src_nt_domain`

Now you have something to run and troubleshoot. I'd run it... and then start backing up, systematically getting rid of each pipe until you're at the first one. that might give you a clue as to what's not happening as it should.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
Highlighted

Re: Splunk App for Windows Infrastructure: How do I get the domainselector.csv lookup to populate?

Path Finder

Thanks so much for this. Super helpful. and so results are - sourcetype="MSAD:*:Health" returns nothing. So I realized something was up with the powershell scripts that are supposed to be running on my domain controllers and sending their results back to my indexer. Got that resolved - although I have 2012R2 DC's - the NT6 TA was still required. Not sure why that is the case but I guess it didn't like the 2012 version...

Many thanks.

0 Karma
Highlighted

Re: Splunk App for Windows Infrastructure: How do I get the domainselector.csv lookup to populate?

Splunk Employee
Splunk Employee

You're welcome. Go ahead and paste your answer into the answers box... and then go back and accept your own answer. It'll earn you some karma points. 🙂

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
Highlighted

Re: Splunk App for Windows Infrastructure: How do I get the domainselector.csv lookup to populate?

Explorer

Hi @rsennett_splunk when i run the expanded search i get results, however when i just run the macro domain-selector-search or even eventtype=msad-dc-health i get no results.

Where do i start looking next?

0 Karma
Highlighted

Re: Splunk App for Windows Infrastructure: How do I get the domainselector.csv lookup to populate?

Splunk Employee
Splunk Employee

@ajhstn same as above. you have to open up those macros and run each section, pipe by pipe to see why it's not running in your system. there is something silently failing. You have to reveal what it might be that is unique to your config...

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma
Highlighted

Re: Splunk App for Windows Infrastructure: How do I get the domainselector.csv lookup to populate?

Path Finder

Using RSennett's help - used this search:

source=powershell sourcetype sourcetype="MSAD:*:Health" |stats count by DomainNetBIOSName,host|where length(DomainNetBIOSName)>0|rename DomainNetBIOSName as src_nt_domain|table host,src_nt_domain

to determine I had no MSAD Health sourcetype data. So I realized something was up with the powershell scripts that are supposed to be running on my domain controllers and sending their results back to my indexer. Got that resolved - although I have 2012R2 DC's - the NT6 TA was still required. Not sure why that is the case but I guess it didn't like the 2012 version...

Many thanks.

View solution in original post

Highlighted

Re: Splunk App for Windows Infrastructure: How do I get the domainselector.csv lookup to populate?

Splunk Employee
Splunk Employee

Good job. 🙂

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma
Highlighted

Re: Splunk App for Windows Infrastructure: How do I get the domainselector.csv lookup to populate?

Path Finder

How does msad-dc-health translates to: eventtype=powershell sourcetype="MSAD:*:Health"?

Returns data:

source=powershell sourcetype="MSAD:*:Health" |stats count by DomainNetBIOSName,host|where length(DomainNetBIOSName)>0|rename DomainNetBIOSName as srcntdomain|table host,srcntdomain

Returns nothing:

eventtype=msad-dc-health|stats count by DomainNetBIOSName,host|where length(DomainNetBIOSName)>0|rename DomainNetBIOSName as srcntdomain|table host,srcntdomain

0 Karma