I'm new with splunk, I installed app ms windows ad object but in order to fix the shared points:
First: Add an automatic lookup for source XMLWinEventLog:Security using the AD_Audit_Change_EventCodes lookup.
In the MS Windows AD Objects app, navigate to Settings - - > Lookups - - > Automatic Lookups.
Click New Automatic Lookup
Enter the following:
Name: ms_ad_obj_wrkaround_msad_action
Source: XmlWinEventLog:Security
Lookup Input Fields:
EventCode = EventCode
obj_type = obj_type
Lookup output Fields:
change_action = change_action
Click Save
Set the permissions to the app and role permissions
I did what is asked but I still get the message:
Could not load lookup=LOOKUP-ms_ad_obj_wrkaround_msad_action
with a failure for some functionalities of the application
Hi @hichem_khalfi,
I don't love automatic lookups because sometimes they don't work and anyway it's more difficoult to debug code when there's a problem.
Anyway, before to create an automatic lookup, you have to create a lookup and test it; automatic lookup is only a rule but it doesn't create the lookup.
Did you cretead the lookup and the lookup definition?
Ciao.
Giuseppe
no, i did what the app owners asked
Hi @hichem_khalfi,
Ok check if the lookup and the lookup definition of ms_ad_obj_wrkaround_msad_action are defined or not.
Ciao.
Giuseppe
i c'ant fin ms_ad_obj_wrkaround_msad_action on Lookup definitions
Hi @hichem_khalfi,
as I said, the problem is that you want to create an automatic lookup without create lookup and lookup definition before.
Check the documentation.
Maybe you are only using a wrong name.
Ciao.
Giuseppe
please read: that what i did exactly , i havent LOOKUP-ms_ad_obj_wrkaround_msad_action from the begin and i create it as the app owner told
There is a current issue where the msad_action field is not being extracted by the Splunk AddOn for Windows for XMLWinEventLogs. This field is heavily leveraged by this application, so below is a workaround until the TA is fixed, or a new version of this app is released.
Hi @hichem_khalfi,
I haven't this app so I cannot test it, but the instruction seems to be clear:
did you created the Automatic Lookup and the calculated field in the same App or outside it?
did you give the grants to the automatic lookup and the calculated field?
If you don't reach to solve the problem, you can contact the developer (there's a link in https://splunkbase.splunk.com/app/3177/ )
Ciao.
Giuseppe