All Apps and Add-ons

Does the Splunk Add-on for Windows Include the Supporting Add-on for AD?

ross_sd
Explorer

I have Splunk Cloud and on here I have the Splunk App for Windows Infrastructure installed. I also have the Splunk Supporting Add-on for Active Directory installed (which I was told was needed) on Splunk Cloud. However, I'm not so sure this is correct because the configuration of this supporting Add-on looks very much like it needs to be within my local network.

In my local network, I have a domain controller with the Splunk Add-on for Microsoft Windows installed and this is sending data to my Splunk Cloud indexes. However, some of my dashboards display errors like this: 

[subsearch]: External search command 'ldapsearch' returned error code 1. Script output = "error_message=Cannot find the configuration stanza for domain=MYDOMAIN in ldap.conf. "

I've been reading through the docs again and it seems like I need to have LDAP searches configured and working which appear to be part of the Supporting Add-on for Active Directory. However, another post I read said that the Splunk Add-on for Microsoft Windows removes the need for this supporting add-on. 

I'm wholly confused at the moment. Can someone clear this up for me? I just want to get all data working correctly on the Splunk App for Windows Infrastructure hosted in my Splunk Cloud environment. Documentation just feels like an utter minefield. 

Am I missing an app on my local server or have I missed a piece of key config on the Splunk Add-on for Microsoft Windows App?

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Yes, the documentation could be better.

Yes, you can collect the data locally and forward it to Splunk Cloud.  That is common, however, it does not fix the ldapsearch command.

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

The ldapsearch command cannot be run from Splunk Cloud because SC does not have access to your AD service.  You'll have to ignore the dashboard panels that use ldapsearch.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

ross_sd
Explorer

Right I see.. Surely there could be something at the start of the documentation in bold that says "XYZ functionality is not available in Splunk Cloud".

Could this be achieved by collecting the data locally via an on-prem instance and then forwarding it to my Splunk Cloud?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Yes, the documentation could be better.

Yes, you can collect the data locally and forward it to Splunk Cloud.  That is common, however, it does not fix the ldapsearch command.

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

ross_sd
Explorer

Thanks Rich. 

Seems like another limitation amongst quite a lot I've found with Splunk Cloud.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Limitations should be expected when you're using someone else's computer.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

ross_sd
Explorer

And said owner (account manager/sales rep in this case) of computer should sell it clearly stating said limitations rather than saying X can do everything Y can do but in a more simplistic offering.

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

It's true Splunk could do more to let users know about the limitations of Splunk Cloud.  Also, one should not put too much stock in the technical information provided by sales people.

BTW, some differences are published at https://docs.splunk.com/Documentation/SplunkCloud/8.1.2101/Service/SplunkCloudservice#Differences_be...

---
If this reply helps you, an upvote would be appreciated.
0 Karma

ross_sd
Explorer

Oh don't worry I know about sales people. This was one bit of procurement I was not involved in, I'm simply the techy doing the implementation. I was however involved in an account management catchup call and the term 'professional services' was used 16 times in less than 25 minutes (my colleague and I had a bet on how many times they would push it). Either way, greater clarity is needed in both the documentation and the way it's sold. At the moment, Splunk Cloud just feels like a product pushed out quickly for the sake of casting a wider sales net.

Anyway, I appreciate the insight and good to know I need not waste any more time on this particular aspect! That's me over and out!

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!