- Splunk Answers
- :
- Splunk Platform Products
- :
- Splunk Enterprise
- :
- Help on AD monitoring with Splunk
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
I try to list the different way to collect Active Directory in Splunk
Except if I am mistaken there is 2 main way to do that :
- Using the Splunk Supporting Add-on for Active Directory: https://splunkbase.splunk.com/app/1151/
- Using the splunk-admon.exe process
Is it true? What are the advantages and disadvantages of these solutions please?
Is it also possible to install a connector between Splunk and AD in order to store the AD events in a KV Store?
Thanks in advance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I believe you can query AD using SQL commands, so technically it is possible. I'd consult with the server team and see if they are okay with it.
To pipe the data into a KVStore using DBconnect is a big pain in the rear end. You'll have to do the following:
1. Create a search using dbquery command and get the desired output from AD forest.
2. Use outputlookup to put the data into KVStore.
3. Save the search as scheduled search to keep the process going.
Hope this helps.
Thank you,
S
***If this helped, please accept it as a solution. It helps others to find the solution for similar issues quickly.***
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @jip31 ,
Splunk recommends using the Active Directory add on. It's much faster, efficient and easy to debug, if you encounter issues on it.
It gives you a connection with the AD forest. After that, all you need to do is to configure a simple search to query the data and outputlookup into a KVStore lookup, just what you're looking for.
Hope this helps.
Thanks,
S
***If this helped, please accept it as a solution. It helps others to find the solution for similar issues quickly.***
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
Thanks for your explanation on Active Directory add on
Just another question
Is it also possible to use a DB connect and to link it with the AD forest and to export events in a KV Store lookup?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I believe you can query AD using SQL commands, so technically it is possible. I'd consult with the server team and see if they are okay with it.
To pipe the data into a KVStore using DBconnect is a big pain in the rear end. You'll have to do the following:
1. Create a search using dbquery command and get the desired output from AD forest.
2. Use outputlookup to put the data into KVStore.
3. Save the search as scheduled search to keep the process going.
Hope this helps.
Thank you,
S
***If this helped, please accept it as a solution. It helps others to find the solution for similar issues quickly.***
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
