All Apps and Add-ons

Splunk app for active directory event types not working

systemsatpayzon
Path Finder

none of the event types in eventtypes.conf under \Splunk\etc\apps\Splunk_for_ActiveDirectory\default\ work in search. For example if i search for "eventtype=wineventlog-security" i get "Unable to find an eventtype wineventlog-security" but if i instead search for the underlying search string "index=main source=WinEventLog:Security" i get a lot of events. it looks like all eventtypes under "splunk_TA_windows" are searchable but non of the eventtypes under plunk_for_ActiveDirectory.

What could be wrong

0 Karma
1 Solution

systemsatpayzon
Path Finder

I solved it after a day of troubleshooting 🙂 the problem was that the eventtypes where only accessible inside the app in splunk web, but i used the standard searchapp for testing. after searching in the search app inside splunk app for active directory it works like a charm

View solution in original post

0 Karma

systemsatpayzon
Path Finder

I solved it after a day of troubleshooting 🙂 the problem was that the eventtypes where only accessible inside the app in splunk web, but i used the standard searchapp for testing. after searching in the search app inside splunk app for active directory it works like a charm

0 Karma

sdaniels
Splunk Employee
Splunk Employee

Sounds like in the search app you would just need to explicitly specify the index for the AD data. (index=x eventtype=y)

The TAs for Splunk App for Active Directory log events into one of three indices:

  • perfmon = All performance data
  • winevents = All Windows Event Log data
  • msad = Everything else
0 Karma

jbernt_splunk
Splunk Employee
Splunk Employee

Hello. Have you restarted Splunk between removing/re-adding the Splunk for Active Directory app?

0 Karma

systemsatpayzon
Path Finder

using btool i can see that settings from eventtypes.conf in \Splunk_for_ActiveDirectory\default are being consumed by splunk, how come i cannot search for those eventtypes??

0 Karma

systemsatpayzon
Path Finder

previously i had the splunk app for windows installed, but i have deleted it today. could that cause any problems?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...