All Apps and Add-ons

Splunk App for Windows Infrastructure AD issue

zwillis24
New Member

I'm trying to get the Splunk App for Windows Infrastructure working (works for windows events but nothing else) and I'm running into some problems with AD. I believe I have everything setup correctly. I can search AD, for example, |ldapsearch domain=DOMAIN search="(cn=Administrator)" returns a result. However, when I do this search eventtype=msad-dc-health it returns nothing. And when I try to run one of the macros, like domain-list|dedup host|outputlookup DomainList.csv, it returns Error in 'SearchParser': Could not find macro 'domain-list' that takes 0 arguments. Expecting stanza name 'domain-list'. What am I doing wrong? I've also tried the legacy AD app without success. All the prerequisites appear to be met. Nothing ever populates in the apps AD queries. Thanks.

0 Karma
1 Solution

zwillis78
Engager

Fix by Splunk support. There was an issue with the newest version of the Active Directory app.

View solution in original post

0 Karma

zwillis78
Engager

Fix by Splunk support. There was an issue with the newest version of the Active Directory app.

0 Karma

dwithers
Explorer

have you verified your ldapsearch is working properly? Specifically the SA-ldapsearch addon required?

0 Karma

zwillis24
New Member

I did. That is working fine. I can search AD and AD changes are being indexed.

0 Karma

dbylertbg
Path Finder

Have you deployed the TAs for active directory monitoring?

Specifically: TA-DNSServer-NT5 TA-DNSServer-NT6 TA-DomainController-2012R2 TA-DomainController-NT5 TA-DomainController-NT6 (as appropriate)

0 Karma

zwillis24
New Member

Thanks for the reply. I do have those setup in local folders... I think correctly. Any reason why I would be getting this error Error in 'SearchParser': Could not find macro 'domain-list' that takes 0 arguments. Or anything else you can think of that I might be missing? I went through the setup docs very closely. Thanks!

0 Karma
Get Updates on the Splunk Community!

Security Highlights: September 2022 Newsletter

 September 2022 The Splunk App for Fraud Analytics (SFA) is now Splunk SupportedUse your existing Splunk ...

Platform Highlights | September 2022 Newsletter

 September 2022 What’s New in 9.0 and How to UpgradeGet a walk through of what is new Splunk Enterprise 9.0 ...

Observability Highlights | September 2022 Newsletter

 September 2022 Splunk Observability SuiteAccess to "Classic" SignalFx Interface Will be Removed on Sept 30, ...