A couple things to check, run, in order:
Verify admon "Sync" data and index name used in eventtype
1. Run the following search against All Time to verify you are getting admon "admonEventType=Sync" data and what index it is being placed in.
index=* sourcetype="ActiveDirectory" admonEventType="Sync" | head 100| fields index | stats count by index
2. If you see data return, then check the returned index against the ms_ad_obj_msad_data eventtype to either verify it is defined correctly or update it if needed.
3. If the index returned from the search was different then try running through the Configuration Dashboards - - > Build AD Lookup Lists - Main dashboard to build the AD_...._LDAP_list lookups.
The lookups AD_Computer_LDAP_list/AD_Groups_LDAP_lists are referenced by the XmlWinEventLog:Security sourcetype in the props.conf.
They aren't created by default because they use the collected admon data to build them.
So if there is no results returned when you run the search | inputlookup AD_Computer_LDAP_list then the admon
data either hasn't been indexed or there has not been Any Computer changes that have occurred since installing the MS
Windows AD Objects application.
(By default any changes get picked up every 15minutes, and the build process mentioned in step 3 rolls up all events Sync/Delete/Changed since the last day the Sync was collected.
As far as the AD_Domain_Selector lookup, it uses the admon data to extract the host, DomainNetBIOSName, DomainDNSName, ForestName, Site information. Although I have ran into an issue with another customer where the admon data was not providing the sub-domains correctly values. So if you don't see data in the AD_Domain_Selector after verifying you are getting admon data, then you can try running either of the following Options to put the correct domain values in the AD_Domain_Selector lookup.
Update the AD_Domain_Selector lookup:
Option I
On 1 AD Domain Controller Per Domain, Enable the Splunk_TA_Window's ## Health and Topology Information NT6 [script://.\bin\runpowershell.cmd nt6-health.ps1] or ## Health and Topology Information 2012r2 and 2016 [powershell://AD-Health] inputs, depending on DC OS version.
After you start receiving data from the search sourcetype="MSAD:*:Health" | head 1 the use the following search to update the AD_Domain_Selector lookup.
source=powershell sourcetype="MSAD:*:Health"
| fields host, DomainNetBIOSName,DomainDNSName,ForestName,Site
| stats count by host, DomainNetBIOSName,DomainDNSName,ForestName,Site
| table host, DomainNetBIOSName,DomainDNSName,ForestName,Site
| append [|inputlookup AD_Domain_Selector| table host, DomainNetBIOSName,DomainDNSName,ForestName,Site]
| dedup host, DomainNetBIOSName,DomainDNSName,ForestName,Site
| eval domain=DomainNetBIOSName
| sort ForestName,Site,DomainDNSName,host
| outputlookup AD_Domain_Selector
Option II - Manually Update the AD_Domain_Selector lookup
To manually update the AD_Domain_Selector lookup run the following search, with replacing the your_dc_host and your_domain_value text with the matching value for the AD Domain you are adding. Note: You can run the search multiple times, where you need to add multiple AD domains:
| inputlookup AD_Domain_Selector
| append [| makelist
| eval host="your_dc_host"
| eval DomainNetBIOSName="your_domain_value"
| eval DomainDNSName="your_domain_value"
| eval ForestName="your_domain_value"
| eval Site="your_domain_value" ]
| stats count by host, DomainNetBIOSName,DomainDNSName,ForestName,Site
| eval domain=DomainNetBIOSName
| outputlookup AD_Domain_Selector
... View more