Active Directory inputs missing SYNC event types a...

mcrawford44 · ‎07-09-2015

As the question above states;

Since the 6.2.1 update of Splunk, our active directory inputs are no longer gathering 'admonEventType=Sync' events.

Sync events are the main meat of the AD indexes, containing the actual listing for objects.

Our last _time entry is 12/16/2014 around 10am, immediately after the 6.2.1 update.

The other 3 admonEventTypes are still collected. Start, Scheme, update.

I have recreated the inputs on 2 servers in different location, and the same behavior remains. Only 3 of the event types are being collected.

corey_dick · ‎01-22-2016

The solution is to remove the following line from the admon stanza in inputs.conf file in the system\default folder:

baseline=0

Adding baseline=1 to the inputs.conf in the system\local folder has no effect from what I could see. This issue effects all versions of 6.2 and 6.3.

mcrawford44 · ‎07-17-2015

Splunk support was able to replicate this bug and have submitted a ticket; SPL-104212

Awaiting response, and I will post any remediation steps here.

Active Directory inputs missing SYNC event types after 6.2.1 upgrade?