First, you can have discrepancies when you are either missing the admonEventType="Sync", which is only generated when the baseline is collected. Or if the baseline was collected before the MS Windows AD Objects application was installed and the "Build" step was never ran via the Build AD Lookup Lists - Main dashboard.
The reason this is important is because the only objects, ie users, that will be available in lookups will be only new/updated/deleted ones that are extracted from admonEventType="Updated" or admonEventType="Deleted" events. The admonEventType="Sync" events are collected for all objects when a baseline is generated.
So first I would suggest to run the report, AD Objects - Verify Baseline Data - Overall, which is in the menu Configuration Dashboards.
If no results are returned then make sure that you have followed the below steps for enabling the following input on one of your domain controllers. **Note: **If it was enabled then see the next set of steps for recollecting the baseline.
Add the following input to the Splunk_TA_Windows/local/inputs.conf either locally on the Domain Controllers *...\SplunkUniversalForwarder\etc\apps* directory, or if using the deployment server the *...\splunk\etc\deployment-apps* directory.
disabled = 0
monitorSubtree = 1
baseline = 1
Restart the Splunk Forwarder Service, either locally or if using the Deployment Server then make sure the Restart Splunk option is selected for the Splunk_TA_Windows application.
If the above input was already in the Domain Controllers inputs.conf, then do the following steps to recollect the baseline AD Data.
Logon on locally on the AD Domain Controller
Stop the Splunk Forwarder Service
Navigate to the *..\SplunkUniversalForwarder\var\lib\splunk\persistentstorage\ADMon* directory.
Delete the NearestDC.ini file, and any other .ini file if it exists.
Note: If you see default.ini then the admon input is enabled somewhere else, and will prevent the baseline from being collected. It might have been enabled when you installed the forwarder by checking the enable “Active Directory” monitoring option.
If You do see a default.ini, then navigate into the **...\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local directory and remove the [admon://default] from the inputs.conf file. If it isn't there then check the local directory of any of the other applications on the forwarder.
Start the Splunk Forwarder service
Run the AD Objects - Verify Baseline Data - Overall report again to verify that you are getting admonEventType="Sync" data.
If you are now receiving the baseline data, then if you want to force the rebuild then open the Build AD Lookup Lists - Main dashboard and click the button to Build All. Otherwise the Scheduled Searches will pick up the new "Sync" events within 15minutes.
BTW: Below is a base search for getting the user objects. There are several macros used to build the lookup, because the group membership, deleted users, etc all needs to be synced up. :
| fields admonEventType,cn,sAMAccountName,distinguishedName
| stats values(admonEventType) AS admonEventType by cn,sAMAccountName,distinguishedName