All Apps and Add-ons

Splunk App for Windows Infrastructure: How to fix the a macro on Failed Logons dashboards that return "No Results Found"?

scalloway_atsu_
Explorer

Some Failed Logon dashboards return no results on the search head, but the dashboards are working on the indexers.

eventtype=msad-failed-user-logons (host="*")|fields _time,signature,src_ip,src_host,src_nt_host,src_nt_domain,user,Logon_Type |`ip-to-host`|`fix-localhost`|stats count by src_nt_host,src_ip|sort -count|rename src_nt_host as "Workstation",src_ip as "IP Address"

Returns no results.

eventtype=msad-failed-user-logons (host="*")|fields _time,signature,src_ip,src_host,src_nt_host,src_nt_domain,user,Logon_Type |`fix-localhost`|stats count by src_nt_host,src_ip|sort -count|rename src_nt_host as "Workstation",src_ip as "IP Address"

Does return results.

Indicating a failure of the macro ip-to-host. The macro (Settings-Advanced Search-Search Macros) exists in both locations with the same permissions.

How to fix the macro, or the underlying lookup, on the search head?

0 Karma
1 Solution

scalloway_atsu_
Explorer

I might have just enough knowledge to be dangerous, but the following seems to have corrected the problem.

ip-to-host references the tHostInfo collection in KVStore for Splunk App for Windows Infrastructure.
Specifically, for Active Directory - Users - Failed Logins → IP and Username details return “No results found.”

In Searches, reports, and alerts » tHostInfo_Lookup_Update, I find the following runs every five minutes:

thostinfo|inputlookup append=T tHostInfo|where _time > relative_time(now(), "-30d@d")|sort 0 src_ip,_time|dedup consecutive=T src_ip,src_hostdomain|sort 0 -_time|outputlookup tHostInfo

Speculating that tHostInfo is empty and not initialized, I ran the following:

thostinfo|outputlookup tHostInfo

The IP and Username details are working now.

View solution in original post

0 Karma

scalloway_atsu_
Explorer

I might have just enough knowledge to be dangerous, but the following seems to have corrected the problem.

ip-to-host references the tHostInfo collection in KVStore for Splunk App for Windows Infrastructure.
Specifically, for Active Directory - Users - Failed Logins → IP and Username details return “No results found.”

In Searches, reports, and alerts » tHostInfo_Lookup_Update, I find the following runs every five minutes:

thostinfo|inputlookup append=T tHostInfo|where _time > relative_time(now(), "-30d@d")|sort 0 src_ip,_time|dedup consecutive=T src_ip,src_hostdomain|sort 0 -_time|outputlookup tHostInfo

Speculating that tHostInfo is empty and not initialized, I ran the following:

thostinfo|outputlookup tHostInfo

The IP and Username details are working now.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...