Getting Data In

How to query a List of Domain Controllers?


I'd like to pull a complete listing of all domain controllers in my environment and I'd like to do it through Splunk. Does anyone have some helpful SPL that can query the network for this?

Labels (1)
0 Karma


On the other hand you can look for eventcodes that a domain controllers generates:

For example 4776: The domain controller attempted to validate the credentials for an account

index=*win* source="*WinEventLog:Security" EventCode=4776
| rename ComputerName as DomainControllerName
| table _time DomainControllerName user

This will give you a list of your domain long as you have windows clients sending their eventlogs to Splunk ofcourse.

0 Karma


SPL cannot query a network. SPL queries data stored in Splunk indexers. If you have indexed a list of your servers in Splunk then SPL can be used to query that data to find DCs.

There are exceptions, of course. The Splunk for Asset Discovery app ( uses the nmap utility to scan networks for devices and indexes the results. The Splunk Supporting Add-on for Active Directory app ( can query Active Directory for information, which might include DCs.

OTOH, if your DCs are reporting events to Splunk now, you can use this query to get their names. Modify the "dc" to match the name scheme for your DCs.

| metadata type=hosts | search host="*dc*"
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Reimagine what you can do with your dashboards. Dashboard Studio is Splunk’s newest dashboard builder to ...

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...