All Apps and Add-ons

Splunk App for Windows Infrastructure AD issue

zwillis24
New Member

I'm trying to get the Splunk App for Windows Infrastructure working (works for windows events but nothing else) and I'm running into some problems with AD. I believe I have everything setup correctly. I can search AD, for example, |ldapsearch domain=DOMAIN search="(cn=Administrator)" returns a result. However, when I do this search eventtype=msad-dc-health it returns nothing. And when I try to run one of the macros, like domain-list|dedup host|outputlookup DomainList.csv, it returns Error in 'SearchParser': Could not find macro 'domain-list' that takes 0 arguments. Expecting stanza name 'domain-list'. What am I doing wrong? I've also tried the legacy AD app without success. All the prerequisites appear to be met. Nothing ever populates in the apps AD queries. Thanks.

0 Karma
1 Solution

zwillis78
Engager

Fix by Splunk support. There was an issue with the newest version of the Active Directory app.

View solution in original post

0 Karma

zwillis78
Engager

Fix by Splunk support. There was an issue with the newest version of the Active Directory app.

0 Karma

dwithers
Explorer

have you verified your ldapsearch is working properly? Specifically the SA-ldapsearch addon required?

0 Karma

zwillis24
New Member

I did. That is working fine. I can search AD and AD changes are being indexed.

0 Karma

dbylertbg
Path Finder

Have you deployed the TAs for active directory monitoring?

Specifically: TA-DNSServer-NT5 TA-DNSServer-NT6 TA-DomainController-2012R2 TA-DomainController-NT5 TA-DomainController-NT6 (as appropriate)

0 Karma

zwillis24
New Member

Thanks for the reply. I do have those setup in local folders... I think correctly. Any reason why I would be getting this error Error in 'SearchParser': Could not find macro 'domain-list' that takes 0 arguments. Or anything else you can think of that I might be missing? I went through the setup docs very closely. Thanks!

0 Karma
Get Updates on the Splunk Community!

AppDynamics Summer Webinars

This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...