All Apps and Add-ons

Why did MS Windows AD Objects fail to build lookups?

Loves-to-Learn Lots


I am evaluating the Splunk Enterprise on our environment and I have setup a on-premises server for that. Currently I am trying to configure the MS Windows AD Objects apps on splunk. The procedures have been carefully followed. However, it is failed on the last step - building lookups.

When the process was trying to build AD_Obj_Admin_Audit lookup, the below error was reported:

Warning: No Windows Change Events Found - Change Time Period

Due to the error, the setup cannot be completed. I have changed the time period up to 5 years but still no luck.

It would be appreciated if you could help us to troubleshoot the issue.


0 Karma

New Member

I had the same issue, I found that it was Active Directory auditing was not properly configured on the DC. I did not get too in-depth with the troubleshooting; however, I configured the following for success and failure. This allowed the query to run. 

  • DS Access
  • Privilege Use
  • Audit directory service access
  • Audit policy change
  • Audit privilege use
  • Audit system events


Hope this helps.

Tags (1)
0 Karma


I ran into thet same problem. I use custom index names, and multiple indexes for various collection purposes, I listed the indexes thus within the macro searches:


This was incorrect. I need to use Boolean OR between indexes

  index=first_winindex OR  index=second_winindex OR ...etc

Now it builds the AD_Obj_Admin_Audit lookup. It does take a while to build however.

Good luck!

0 Karma

Loves-to-Learn Lots


Thanks for your reply! However, since we didn't use custom index names, the macro should be no need to change.


0 Karma


Understood. The second point I was making was the setting of macro definitions in the previous screen. One screen back from the build screen is where macros are shown that require indexes. One of these is  ms__obj_win_events_index.

Update this macro definition like so (assuming default index names):
    index=WinEvtSec OR index=Windows

Perhaps this will help.

0 Karma
Get Updates on the Splunk Community!

Streamline Data Ingestion With Deployment Server Essentials

REGISTER NOW!Every day the list of sources Admins are responsible for gets bigger and bigger, often making the ...

Remediate Threats Faster and Simplify Investigations With Splunk Enterprise Security ...

REGISTER NOW!Join us for a Tech Talk around our latest release of Splunk Enterprise Security 7.2! We’ll walk ...

Introduction to Splunk AI

WATCH NOWHow are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. ...