Re: extract log files on one Active Directory OU

rapture005 · ‎08-01-2018

Possible unique situation. I work for a state agency and each state agency is under the same domain. So each state agency is its own OU in AD (I know its bad but it is the way it is). We need to extract only log files pertaining to my own agency. The group that manages AD wants to dump the logs on a share and for us to import. Is it possible to use a heavy forwarder to extract the log files for my agency only? I'm not sure if it is possible. I'm sorry if this is confusing. I'm not looking for a step by step just general info if possible.

sudosplunk · ‎08-01-2018

Hello,

While HF can do the job, you can use Universal Forwarder also to ingest logs from share. It would be easy if the log files have some kind of unique name which differentiates it with other log files. Please provide some examples with screenshots or samples to further assist you.

Meanwhile, you can find good explanation with steps here.

rapture005 · ‎08-01-2018

thanks for the quick response. That is what I'm afraid of how to differentiate the groups. I'm working on getting some data to test.

sudosplunk · ‎08-01-2018

Can you show where logs are stored? I meant "path\to\file".
PS: Mask sensitive information(if any).

extract log files on one Active Directory OU

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Global Splunk User Group Events: May + June 2026

Join the Conversation