Solved: Active Directory: monitor only users data

giorgio_adami_m · ‎11-26-2012

Hi all!

I need to import users informations from AD.
The forest has a folder for each Country, and each country has the "users" folder (Ex: OU=users, OU=Country1, OU=intranet and OU=users, OU=Country2, OU=intranet).

I've tried to edit %SPLUNK_HOME%\bin\scripts\splunk-admon.path in this way:

$SPLUNK_HOME\bin\splunk-admon.exe -query "(&(sAMAccountType=805306368))"

It runs without errors, but i lose the format of the sourcetype "ActiveDirectory".

Any suggestion?
Thanks

giorgio_adami_m · ‎03-05-2013

It seems that it's not possible to edit the query LDAP that splunk-admon launch to the target DC.
I've solved filtering events with props/transforms before forward/index them.

View solution in original post

giorgio_adami_m · ‎03-05-2013

It seems that it's not possible to edit the query LDAP that splunk-admon launch to the target DC.
I've solved filtering events with props/transforms before forward/index them.

Active Directory: monitor only users data

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR

Are you a member of the Splunk Community?

Active Directory: monitor only users data

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR