Re: Splunk app for MS active directory - no result...

vickileong · ‎02-05-2014

We got "No results found." for all dashboard after we installed the app. When we click on Inspect, we found the following search

search eventtype=msad-failed-user-logons host!="*" | fields _time, signature, src_ip, src_host, src_nt_host, src_nt_domain, user, Logon_Type

"0 matching events" even we use this query on search. But if we remove the terms host!="*" or replace it by host!="abc". For example:

search eventtype=msad-failed-user-logons | fields _time, signature, src_ip, src_host, src_nt_host, src_nt_domain, user, Logon_Type

We got all the result back.

Anyone have any idea of whats wrong regarding the "host" field?

vickileong · ‎02-05-2014

hi, yes, you are right. a mis-config cause the field host became null. checking the config now. thanks

kristian_kolb · ‎02-05-2014

hmm, host!=* sound like certain way to receive no events.

Essentially this would require that the field host is present in the event (which it is), and that the value does not match any string... would that be some way of saying "is_null"?

skylasam_splunk · ‎02-05-2014

Hi - Can you be more specific about which dashboard you're encountering this error with; is it the User logon failures? Please paste the URL if possible.
Also, what version of the AD app are you running?

vickileong · ‎02-05-2014

hi, just found out that its because of a mis-config of the Splunk app.

Splunk app for MS active directory - no result after include host!="*" in the search

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases