We got "No results found." for all dashboard after we installed the app. When we click on Inspect, we found the following search
search eventtype=msad-failed-user-logons host!="*" | fields _time, signature, src_ip, src_host, src_nt_host, src_nt_domain, user, Logon_Type
"0 matching events" even we use this query on search. But if we remove the terms host!="*" or replace it by host!="abc". For example:
search eventtype=msad-failed-user-logons | fields _time, signature, src_ip, src_host, src_nt_host, src_nt_domain, user, Logon_Type
We got all the result back.
Anyone have any idea of whats wrong regarding the "host" field?
hi, yes, you are right. a mis-config cause the field host became null. checking the config now. thanks
hmm, host!=*
sound like certain way to receive no events.
Essentially this would require that the field host
is present in the event (which it is), and that the value does not match any string... would that be some way of saying "is_null"?
Hi - Can you be more specific about which dashboard you're encountering this error with; is it the User logon failures? Please paste the URL if possible.
Also, what version of the AD app are you running?
hi, just found out that its because of a mis-config of the Splunk app.