Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Script for lookup table 'ad_username' returned err...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We have installed the Splunk App for Exchange and for a while, we were getting some really great information. The other day we started getting the following error and a lot of the information when we would dive into subjects would be missing:
[server xxx] Script for lookup table 'ad_username' returned error code 1. Results may be incorrect.
There were no changes made to the deployment before this started happening that I am aware of.
Has anyone experienced this before or have an idea as to what can be done to fix the issue?
Thanks,
Jeff
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We opened a case on this issue with support and went through the different configurations you mentioned above to no avail.
We ended up copying the Exchange app folder from one server to the other which ended up resolving the 'ad_username' error we were seeing.
Not sure as to what changed or what really broke, but something was different on the server throwing the error.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We opened a case on this issue with support and went through the different configurations you mentioned above to no avail.
We ended up copying the Exchange app folder from one server to the other which ended up resolving the 'ad_username' error we were seeing.
Not sure as to what changed or what really broke, but something was different on the server throwing the error.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Something has changed on your deployment.
The ad_username lookup is defined in Splunk_for_Exchange/default/transforms.conf and it's job is to normalize the username being presented in the IIS or message tracking logs into something that you can search for repeatedly. Lots of things break when this breaks. A few things to check:
1) Do a search in index=_internal to see if the script is mentioned with a more specific error message.
2) Check the permissions on the script itself (it's in the bin directory), plus the domain_aliases.csv file and the active_directory.csv file (the latter is an optional file, so you may not have one).
3) Ensure there are no blank lines in either of the CSV files.
4) Create an example CSV file to drive the lookup. It should have two fields - cs_username and user_subject. An example might be:
cs_username,user_subject
YOURDOMAIN\user
user
user@yourdomain.com
Once you have this, you can feed this into the lookup and check the output, or errors. You do this with the following command line:
splunk cmd python bin/ad_username.py < yourtestfile.csv
Alter the paths according to where the files are stored. In this example, I created the file in the Splunk_for_Exchange directory and ran the command from there.
If this doesn't point to the error, then please post the app version and splunk version. Also, if you have Splunk Support, then please open a case with our Support group for more specific assistance.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
