Some Failed Logon dashboards return no results on the search head, but the dashboards are working on the indexers.
eventtype=msad-failed-user-logons (host="*")|fields _time,signature,src_ip,src_host,src_nt_host,src_nt_domain,user,Logon_Type |`ip-to-host`|`fix-localhost`|stats count by src_nt_host,src_ip|sort -count|rename src_nt_host as "Workstation",src_ip as "IP Address"
Returns no results.
eventtype=msad-failed-user-logons (host="*")|fields _time,signature,src_ip,src_host,src_nt_host,src_nt_domain,user,Logon_Type |`fix-localhost`|stats count by src_nt_host,src_ip|sort -count|rename src_nt_host as "Workstation",src_ip as "IP Address"
Does return results.
Indicating a failure of the macro ip-to-host
. The macro (Settings-Advanced Search-Search Macros) exists in both locations with the same permissions.
How to fix the macro, or the underlying lookup, on the search head?
I might have just enough knowledge to be dangerous, but the following seems to have corrected the problem.
ip-to-host references the tHostInfo collection in KVStore for Splunk App for Windows Infrastructure.
Specifically, for Active Directory - Users - Failed Logins → IP and Username details return “No results found.”
In Searches, reports, and alerts » tHostInfo_Lookup_Update, I find the following runs every five minutes:
thostinfo
|inputlookup append=T tHostInfo|where _time > relative_time(now(), "-30d@d")|sort 0 src_ip,_time|dedup consecutive=T src_ip,src_hostdomain|sort 0 -_time|outputlookup tHostInfo
Speculating that tHostInfo is empty and not initialized, I ran the following:
thostinfo
|outputlookup tHostInfo
The IP and Username details are working now.
I might have just enough knowledge to be dangerous, but the following seems to have corrected the problem.
ip-to-host references the tHostInfo collection in KVStore for Splunk App for Windows Infrastructure.
Specifically, for Active Directory - Users - Failed Logins → IP and Username details return “No results found.”
In Searches, reports, and alerts » tHostInfo_Lookup_Update, I find the following runs every five minutes:
thostinfo
|inputlookup append=T tHostInfo|where _time > relative_time(now(), "-30d@d")|sort 0 src_ip,_time|dedup consecutive=T src_ip,src_hostdomain|sort 0 -_time|outputlookup tHostInfo
Speculating that tHostInfo is empty and not initialized, I ran the following:
thostinfo
|outputlookup tHostInfo
The IP and Username details are working now.