Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Active Directory inputs missing SYNC event types after 6.2.1 upgrade?

mcrawford44
Communicator
‎07-09-2015 01:29 PM

As the question above states;

Since the 6.2.1 update of Splunk, our active directory inputs are no longer gathering 'admonEventType=Sync' events.

Sync events are the main meat of the AD indexes, containing the actual listing for objects.

Our last _time entry is 12/16/2014 around 10am, immediately after the 6.2.1 update.

The other 3 admonEventTypes are still collected. Start, Scheme, update.

I have recreated the inputs on 2 servers in different location, and the same behavior remains. Only 3 of the event types are being collected.

Reply

corey_dick
Path Finder
‎01-22-2016 11:57 AM

The solution is to remove the following line from the admon stanza in inputs.conf file in the system\default folder:

baseline=0

Adding baseline=1 to the inputs.conf in the system\local folder has no effect from what I could see. This issue effects all versions of 6.2 and 6.3.

0 Karma
Reply

mcrawford44
Communicator
‎07-17-2015 12:55 PM

Splunk support was able to replicate this bug and have submitted a ticket; SPL-104212

Awaiting response, and I will post any remediation steps here.

0 Karma
Reply
Get Updates on the Splunk Community!

Admin Your Splunk Cloud, Your Way

Join us to maximize different techniques to best tune Splunk Cloud. In this Tech Enablement, you will get ...

Cloud Platform | Discontinuing support for TLS version 1.0 and 1.1

Overview Transport Layer Security (TLS) is a security communications protocol that lets two computers, ...

New Customer Testimonials

Enterprises of all sizes and across different industries are accelerating cloud adoption by migrating ...