All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk App for Windows Infrastructure: How to fix the a macro on Failed Logons dashboards that return "No Results Found"?

scalloway_atsu_
Explorer
‎11-04-2016 10:36 AM

Some Failed Logon dashboards return no results on the search head, but the dashboards are working on the indexers.

eventtype=msad-failed-user-logons (host="*")|fields _time,signature,src_ip,src_host,src_nt_host,src_nt_domain,user,Logon_Type |`ip-to-host`|`fix-localhost`|stats count by src_nt_host,src_ip|sort -count|rename src_nt_host as "Workstation",src_ip as "IP Address"

Returns no results.

eventtype=msad-failed-user-logons (host="*")|fields _time,signature,src_ip,src_host,src_nt_host,src_nt_domain,user,Logon_Type |`fix-localhost`|stats count by src_nt_host,src_ip|sort -count|rename src_nt_host as "Workstation",src_ip as "IP Address"

Does return results.

Indicating a failure of the macro ip-to-host. The macro (Settings-Advanced Search-Search Macros) exists in both locations with the same permissions.

How to fix the macro, or the underlying lookup, on the search head?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

scalloway_atsu_
Explorer
‎01-09-2017 12:39 PM

I might have just enough knowledge to be dangerous, but the following seems to have corrected the problem.

ip-to-host references the tHostInfo collection in KVStore for Splunk App for Windows Infrastructure.
Specifically, for Active Directory - Users - Failed Logins → IP and Username details return “No results found.”

In Searches, reports, and alerts » tHostInfo_Lookup_Update, I find the following runs every five minutes:

thostinfo|inputlookup append=T tHostInfo|where _time > relative_time(now(), "-30d@d")|sort 0 src_ip,_time|dedup consecutive=T src_ip,src_hostdomain|sort 0 -_time|outputlookup tHostInfo

Speculating that tHostInfo is empty and not initialized, I ran the following:

thostinfo|outputlookup tHostInfo

The IP and Username details are working now.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

scalloway_atsu_
Explorer
‎01-09-2017 12:39 PM

I might have just enough knowledge to be dangerous, but the following seems to have corrected the problem.

ip-to-host references the tHostInfo collection in KVStore for Splunk App for Windows Infrastructure.
Specifically, for Active Directory - Users - Failed Logins → IP and Username details return “No results found.”

In Searches, reports, and alerts » tHostInfo_Lookup_Update, I find the following runs every five minutes:

thostinfo|inputlookup append=T tHostInfo|where _time > relative_time(now(), "-30d@d")|sort 0 src_ip,_time|dedup consecutive=T src_ip,src_hostdomain|sort 0 -_time|outputlookup tHostInfo

Speculating that tHostInfo is empty and not initialized, I ran the following:

thostinfo|outputlookup tHostInfo

The IP and Username details are working now.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...