- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- missing Lookup tabels and error (MS Windows AD Obj...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
missing Lookup tabels and error (MS Windows AD Objects)
Hi together i am getting this error after i add the App to our Splunk server
it seems for me that some of the lookup tables are not created.
2 errors occurred while the search was executing. Therefore, search results might be incomplete. Blenden Sie Fehler aus.
Could not load lookup=LOOKUP-ms_ad_obj_xml_member_dn_computer
Could not load lookup=LOOKUP-ms_ad_obj_xml_member_dn_group
additional if i want to choose one of the SubDomains its only All avalible and the Lookup Table for the Domain List is empty
what is wrong i followed all the instruction and there are no other interfearing application installed
Michael
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A couple things to check, run, in order:
Verify admon "Sync" data and index name used in eventtype
1. Run the following search against All Time to verify you are getting admon "admonEventType=Sync" data and what index it is being placed in.
index=* sourcetype="ActiveDirectory" admonEventType="Sync" | head 100| fields index | stats count by index
2. If you see data return, then check the returned index against the ms_ad_obj_msad_data eventtype to either verify it is defined correctly or update it if needed.
3. If the index returned from the search was different then try running through the Configuration Dashboards - - > Build AD Lookup Lists - Main dashboard to build the AD_...._LDAP_list lookups.
- The lookups AD_Computer_LDAP_list/AD_Groups_LDAP_lists are referenced by the XmlWinEventLog:Security sourcetype in the props.conf.
- They aren't created by default because they use the collected admon data to build them.
- So if there is no results returned when you run the search
| inputlookup AD_Computer_LDAP_listthen the admon data either hasn't been indexed or there has not been Any Computer changes that have occurred since installing the MS Windows AD Objects application.
- (By default any changes get picked up every 15minutes, and the build process mentioned in step 3 rolls up all events Sync/Delete/Changed since the last day the Sync was collected.
As far as the AD_Domain_Selector lookup, it uses the admon data to extract the host, DomainNetBIOSName, DomainDNSName, ForestName, Site information. Although I have ran into an issue with another customer where the admon data was not providing the sub-domains correctly values. So if you don't see data in the AD_Domain_Selector after verifying you are getting admon data, then you can try running either of the following Options to put the correct domain values in the AD_Domain_Selector lookup.
Update the AD_Domain_Selector lookup:
Option I
- On 1 AD Domain Controller Per Domain, Enable the Splunk_TA_Window's ## Health and Topology Information NT6 [script://.\bin\runpowershell.cmd nt6-health.ps1] or ## Health and Topology Information 2012r2 and 2016 [powershell://AD-Health] inputs, depending on DC OS version.
- After you start receiving data from the search
sourcetype="MSAD:*:Health"| head 1 the use the following search to update the AD_Domain_Selector lookup. source=powershell sourcetype="MSAD:*:Health" | fields host, DomainNetBIOSName,DomainDNSName,ForestName,Site | stats count by host, DomainNetBIOSName,DomainDNSName,ForestName,Site | table host, DomainNetBIOSName,DomainDNSName,ForestName,Site | append [|inputlookup AD_Domain_Selector| table host, DomainNetBIOSName,DomainDNSName,ForestName,Site] | dedup host, DomainNetBIOSName,DomainDNSName,ForestName,Site | eval domain=DomainNetBIOSName | sort ForestName,Site,DomainDNSName,host | outputlookup AD_Domain_Selector
Option II - Manually Update the AD_Domain_Selector lookup
- To manually update the AD_Domain_Selector lookup run the following search, with replacing the
your_dc_hostandyour_domain_valuetext with the matching value for the AD Domain you are adding. Note: You can run the search multiple times, where you need to add multiple AD domains:
| inputlookup AD_Domain_Selector
| append [| makelist
| eval host="your_dc_host"
| eval DomainNetBIOSName="your_domain_value"
| eval DomainDNSName="your_domain_value"
| eval ForestName="your_domain_value"
| eval Site="your_domain_value" ]
| stats count by host, DomainNetBIOSName,DomainDNSName,ForestName,Site
| eval domain=DomainNetBIOSName
| outputlookup AD_Domain_Selector
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@kloppm
This would happen if your lookups with name "ms_ad_obj_xml_member_dn_computer" and "ms_ad_obj_xml_member_dn_group" (Lookup definition OR automatic lookup OR Lookup file) could not be found by Splunk as per the configuration.
As a first step, check for the permissions given on you lookup.
Go to Settings -> Lookups -> Lookup Definitions and search for your reported lookups. There you will see the names of your lookups being used and the app which should own it. Set the appropriate permission as per where you are trying to access it and with which role and this error would go away.
Let me know if this helps you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As per app documentation "This application leverages admon collected data using the Splunk Add-on for Microsoft Active Directo..."
As checked in props.conf on line 99
"LOOKUP-ms_ad_obj_xml_member_dn_computer = AD_Computer_LDAP_list distinguishedName AS member_obj_dn OUTPUT sAMAccountName AS member_obj_id,domain AS member_obj_domain,objectClass AS member_obj_class"
I want to suggest you check if you are capturing required logs from source "XmlWinEventLog."
If "Not," please disable the lookup (with this you can suppress the error message).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi thx..
this Lookups were not created during Installation
so thats not an permission error its more an missing error as well an update error for the existing like
/opt/splunk/etc/apps/ms_windows_ad_objects/lookups/AD.Audit.Admin.list.csv
No owner
ms_windows_ad_objects
Global | Permissions Enabled Move | Delete
/opt/splunk/etc/apps/ms_windows_ad_objects/lookups/AD.Computer.LDAP.list.csv
No owner
ms_windows_ad_objects
Global | Permissions Enabled Move | Delete
/opt/splunk/etc/apps/ms_windows_ad_objects/lookups/AD.Distribution.Lists.LDAP.list.csv
No owner
ms_windows_ad_objects
Global | Permissions Enabled Move | Delete
/opt/splunk/etc/apps/ms_windows_ad_objects/lookups/AD.Domain.Selector.list.csv
No owner
ms_windows_ad_objects
App | Permissions Enabled Move | Delete
/opt/splunk/etc/apps/ms_windows_ad_objects/lookups/AD.GroupPolicies.LDAP.list.csv
No owner
ms_windows_ad_objects
Global | Permissions Enabled Move | Delete
/opt/splunk/etc/apps/ms_windows_ad_objects/lookups/AD.Groups.LDAP.list.csv
No owner
ms_windows_ad_objects
Global | Permissions Enabled Move | Delete
/opt/splunk/etc/apps/ms_windows_ad_objects/lookups/AD.OU.LDAP.list.csv
No owner
ms_windows_ad_objects
Global | Permissions Enabled Move | Delete
/opt/splunk/etc/apps/ms_windows_ad_objects/lookups/AD.Users.LDAP.list.csv
No owner
ms_windows_ad_objects
Global | Permissions Enabled Move | Delete
/opt/splunk/etc/apps/ms_windows_ad_objects/lookups/AD_Objects_Queue_Main.csv
No owner
ms_windows_ad_objects
Global | Permissions Enabled Move | Delete
/opt/splunk/etc/apps/ms_windows_ad_objects/lookups/AD_UAC_Details.csv
No owner
ms_windows_ad_objects
Global | Permissions Enabled Move | Delete
/opt/splunk/etc/apps/ms_windows_ad_objects/lookups/ms_ad_obj_change_eventcodes.csv
No owner
ms_windows_ad_objects
Global | Permissions Enabled Move | Delete
/opt/splunk/etc/apps/ms_windows_ad_objects/lookups/ms_ad_obj_default_critical_objects.csv
No owner
ms_windows_ad_objects
Global | Permissions Enabled Move | Delete
/opt/splunk/etc/apps/ms_windows_ad_objects/lookups/ms_ad_obj_error_codes.csv
No owner
ms_windows_ad_objects
Global | Permissions Enabled Move | Delete
/opt/splunk/etc/apps/ms_windows_ad_objects/lookups/ms_ad_obj_field_AD_Computer_LDAP_list.csv
No owner
ms_windows_ad_objects
Global | Permissions Enabled Move | Delete
/opt/splunk/etc/apps/ms_windows_ad_objects/lookups/ms_ad_obj_field_AD_Groups_LDAP_list.csv
No owner
ms_windows_ad_objects
Global | Permissions Enabled Move | Delete
/opt/splunk/etc/apps/ms_windows_ad_objects/lookups/ms_ad_obj_field_AD_User_LDAP_list.csv
No owner
ms_windows_ad_objects
Global | Permissions Enabled Move | Delete
/opt/splunk/etc/apps/ms_windows_ad_objects/lookups/ms_ad_obj_group_details.csv
No owner
ms_windows_ad_objects
Global | Permissions Enabled Move | Delete
/opt/splunk/etc/apps/ms_windows_ad_objects/lookups/ms_ad_obj_group_types.csv
No owner
ms_windows_ad_objects
Global | Permissions Enabled Move | Delete
/opt/splunk/etc/apps/ms_windows_ad_objects/lookups/ms_ad_obj_logon_types.csv
No owner
ms_windows_ad_objects
Global | Permissions Enabled Move | Delete
/opt/splunk/etc/apps/ms_windows_ad_objects/lookups/ms_ad_obj_lookup_field_lists.csv
No owner
ms_windows_ad_objects
Global | Permissions Enabled Move | Delete
/opt/splunk/etc/apps/ms_windows_ad_objects/lookups/ms_ad_obj_uac_temp.csv
No owner
ms_windows_ad_objects
Global | Permissions Enabled Move | Delete
/opt/splunk/etc/apps/ms_windows_ad_objects/lookups/ms_ad_obj_user_rights_map.csv
No owner
ms_windows_ad_objects
Global | Permissions Enabled Move | Delete
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
