How do you assign host value for ActiveDirectory s...

Jason_1 · ‎03-18-2011

I have the 4.2 universal forwarder installed on an Active Directory DC, but have been unable to assign the fqdn as the host value for ActiveDirectory (splunk-admon) events. Setting host=fqdn in inputs.conf sets the correct host value for WinEventLog and WMI events, but not for ActiveDirectory. Tried setting host=fdqn in admon.conf but did not have any effect. Also tried the following transform but still had no effect...

$splunkhome/etc/system/local/props.conf

[ActiveDirectory] 
TRANSFORMS-rowandc = rowandc-host

$splunkhome/etc/system/local/transforms.conf

[rowandc-host]
DEST_KEY = MetaData:Host
REGEX = dcName=(\w*\.rowanads\.rowan\.edu)
FORMAT = host::$1

Sample data...

03/18/2011 11:25:50.073
dcName=ads4.rowanads.rowan.edu
admonEventType=Deleted
objectGuid=removed
distinguishedName=removed
host=ADS4      sourcetype=ActiveDirectory      source=ActiveDirectory

woodcock · ‎06-03-2015

That should work but you will need to restart every Indexer first (which you probably did not do). I would also use something like this instead of what you are using:

REGEX = dcName=(.*)[\r\n]

How do you assign host value for ActiveDirectory source?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation