All Apps and Add-ons

What builds AD_User_LDAP_list

tkw03
Communicator

Trying to find the discrepancy between what my LDAP user lookup is reporting and what my user count in AD is.

Finding the search that builds that lookup is a bit tricky.

Anyone know which macro builds that lookup table?

Thanks!

0 Karma

shogan_splunk
Splunk Employee
Splunk Employee

First, you can have discrepancies when you are either missing the admonEventType="Sync", which is only generated when the baseline is collected. Or if the baseline was collected before the MS Windows AD Objects application was installed and the "Build" step was never ran via the Build AD Lookup Lists - Main dashboard.

The reason this is important is because the only objects, ie users, that will be available in lookups will be only new/updated/deleted ones that are extracted from admonEventType="Updated" or admonEventType="Deleted" events. The admonEventType="Sync" events are collected for all objects when a baseline is generated.

So first I would suggest to run the report, AD Objects - Verify Baseline Data - Overall, which is in the menu Configuration Dashboards.

  • If no results are returned then make sure that you have followed the below steps for enabling the following input on one of your domain controllers. **Note: **If it was enabled then see the next set of steps for recollecting the baseline.
  1. Add the following input to the Splunk_TA_Windows/local/inputs.conf either locally on the Domain Controllers *...\SplunkUniversalForwarder\etc\apps* directory, or if using the deployment server the *...\splunk\etc\deployment-apps* directory.
    [admon://NearestDC] disabled = 0 monitorSubtree = 1 baseline = 1 index=msad
  2. Restart the Splunk Forwarder Service, either locally or if using the Deployment Server then make sure the Restart Splunk option is selected for the Splunk_TA_Windows application.
  • If the above input was already in the Domain Controllers inputs.conf, then do the following steps to recollect the baseline AD Data.
  1. Logon on locally on the AD Domain Controller
  2. Stop the Splunk Forwarder Service
  3. Navigate to the *..\SplunkUniversalForwarder\var\lib\splunk\persistentstorage\ADMon* directory.
  4. Delete the NearestDC.ini file, and any other .ini file if it exists.
  5. Note: If you see default.ini then the admon input is enabled somewhere else, and will prevent the baseline from being collected. It might have been enabled when you installed the forwarder by checking the enable “Active Directory” monitoring option.
  6. If You do see a default.ini, then navigate into the **...\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local directory and remove the [admon://default] from the inputs.conf file. If it isn't there then check the local directory of any of the other applications on the forwarder.
  7. Start the Splunk Forwarder service
  8. Run the AD Objects - Verify Baseline Data - Overall report again to verify that you are getting admonEventType="Sync" data.
  9. If you are now receiving the baseline data, then if you want to force the rebuild then open the Build AD Lookup Lists - Main dashboard and click the button to Build All. Otherwise the Scheduled Searches will pick up the new "Sync" events within 15minutes.

BTW: Below is a base search for getting the user objects. There are several macros used to build the lookup, because the group membership, deleted users, etc all needs to be synced up. :
eventtype=ms_ad_obj_msad_data (objectClass="top|person|organizationalPerson|user")
| fields admonEventType,cn,sAMAccountName,distinguishedName
| stats values(admonEventType) AS admonEventType by cn,sAMAccountName,distinguishedName

0 Karma
Get Updates on the Splunk Community!

Introducing Ingest Actions: Filter, Mask, Route, Repeat

WATCH NOW Ingest Actions (IA) is the best new way to easily filter, mask and route your data in Splunk® ...

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...