Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Active Directory inputs missing SYNC event types after 6.2.1 upgrade?

mcrawford44
Communicator
‎07-09-2015 01:29 PM

As the question above states;

Since the 6.2.1 update of Splunk, our active directory inputs are no longer gathering 'admonEventType=Sync' events.

Sync events are the main meat of the AD indexes, containing the actual listing for objects.

Our last _time entry is 12/16/2014 around 10am, immediately after the 6.2.1 update.

The other 3 admonEventTypes are still collected. Start, Scheme, update.

I have recreated the inputs on 2 servers in different location, and the same behavior remains. Only 3 of the event types are being collected.

Reply

corey_dick
Path Finder
‎01-22-2016 11:57 AM

The solution is to remove the following line from the admon stanza in inputs.conf file in the system\default folder:

baseline=0

Adding baseline=1 to the inputs.conf in the system\local folder has no effect from what I could see. This issue effects all versions of 6.2 and 6.3.

0 Karma
Reply

mcrawford44
Communicator
‎07-17-2015 12:55 PM

Splunk support was able to replicate this bug and have submitted a ticket; SPL-104212

Awaiting response, and I will post any remediation steps here.

0 Karma
Reply
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>

Get Updates on the Splunk Community!