Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to query a List of Domain Controllers?

itsmevic
Communicator
‎03-25-2020 08:42 AM

I'd like to pull a complete listing of all domain controllers in my environment and I'd like to do it through Splunk. Does anyone have some helpful SPL that can query the network for this?

0 Karma
Reply

Azeemering
Builder
‎06-27-2022 04:20 AM

On the other hand you can look for eventcodes that a domain controllers generates:

For example 4776: The domain controller attempted to validate the credentials for an account

index=*win* source="*WinEventLog:Security" EventCode=4776
| rename ComputerName as DomainControllerName
| table _time DomainControllerName user

 
This will give you a list of your domain controllers....as long as you have windows clients sending their eventlogs to Splunk ofcourse.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-25-2020 10:30 AM

SPL cannot query a network. SPL queries data stored in Splunk indexers. If you have indexed a list of your servers in Splunk then SPL can be used to query that data to find DCs.

There are exceptions, of course. The Splunk for Asset Discovery app (https://splunkbase.splunk.com/app/662/) uses the nmap utility to scan networks for devices and indexes the results. The Splunk Supporting Add-on for Active Directory app (https://splunkbase.splunk.com/app/1151/) can query Active Directory for information, which might include DCs.

OTOH, if your DCs are reporting events to Splunk now, you can use this query to get their names. Modify the "dc" to match the name scheme for your DCs.

| metadata type=hosts | search host="*dc*"
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

mazharuddin
New Member
‎07-20-2023 06:16 AM

what is the spl query to check all logs of DC ?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...