All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk not showing events from all domain controllers

shaunmuir
Engager
‎01-16-2013 02:08 PM

Hi All We have a a mixed Windows 2003 and Windows 2008 R2 domain controller setup. All of these send events to SCOM and the SCOM ACS database. We point Splunk at the SCOM ACS database to collate these events centrally. Currently when I click on "Active Directory" at the top of Splunk and then click on "Domain Controller Events" I can only see my Windows 2003 domain controller stats. I cannot see any data for my Windows 2008 R2 domain controllers. I have confirmed that there is definitely Windows 2008 R2 domain controller events within the SCOM ACS database. I'm very new to Splunk so very well might be doing something silly. Does anyone know what the SQL query is that is executed directly when I click on on "Domain Controller Events"? If I have that I can confirm that the tables in the SCOM database are correct. Otherwise has anyone seen this before?

Reply

dstaulcu
Builder
‎06-05-2014 04:18 PM

My team may end up going down this route in the future..

If ACS is anything like SCOM, portions of windows security event log data are likely spread across multiple tables. You would need to extract a view of security events and ensure that the columns match the field name and character case expected by Splunk app for Active Directory. There may also be references to SourceName, SourceType etc, so you will likely have some transform work to do if you are tailing SQL data using DBConnect.

0 Karma
Reply

ahall_splunk
Splunk Employee
Splunk Employee
‎02-04-2013 10:49 AM

This has nothing to do with Active Directory. If you want to grab the appropriate events for Active Directory, I suggest starting with the Splunk App for Active Directory. The App is available for download from splunkbase, and is documented at http://docs.splunk.com

0 Karma
Reply

ahall_splunk
Splunk Employee
Splunk Employee
‎02-06-2013 09:56 AM

That's because we don't execute an "SQL query" - with AD, no SQL is involved.

0 Karma
Reply

shaunmuir
Engager
‎02-05-2013 11:38 AM

Thank you, i wasnt suggesting the problem was with Active Directory so I'm not sure why you're suggesting it has nothing to do with AD. I asked what the SQL query was that was executed when I clicked on Active Directory events at the top of the Splunk app. Thus far, nobody has been able to tell me

0 Karma
Reply

paul_1994
Path Finder
‎01-17-2013 09:17 PM

The only suggestion I would have would be to see if you can query the data from search, to see if it is indeed collecting inside of the index.

I have not used this app before, but I wanted to see if I could get you looking for the data via indexes.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...