I try to list the different way to collect Active Directory in Splunk
Except if I am mistaken there is 2 main way to do that :
Is it true? What are the advantages and disadvantages of these solutions please?
Is it also possible to install a connector between Splunk and AD in order to store the AD events in a KV Store?
Thanks in advance
I believe you can query AD using SQL commands, so technically it is possible. I'd consult with the server team and see if they are okay with it.
To pipe the data into a KVStore using DBconnect is a big pain in the rear end. You'll have to do the following:
1. Create a search using dbquery command and get the desired output from AD forest.
2. Use outputlookup to put the data into KVStore.
3. Save the search as scheduled search to keep the process going.
Hope this helps.
***If this helped, please accept it as a solution. It helps others to find the solution for similar issues quickly.***
View solution in original post
Hi @jip31 ,
Splunk recommends using the Active Directory add on. It's much faster, efficient and easy to debug, if you encounter issues on it.
It gives you a connection with the AD forest. After that, all you need to do is to configure a simple search to query the data and outputlookup into a KVStore lookup, just what you're looking for.
Thanks for your explanation on Active Directory add on
Just another question
Is it also possible to use a DB connect and to link it with the AD forest and to export events in a KV Store lookup?