All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk not showing events from all domain controllers

shaunmuir
Engager
‎01-16-2013 02:08 PM

Hi All We have a a mixed Windows 2003 and Windows 2008 R2 domain controller setup. All of these send events to SCOM and the SCOM ACS database. We point Splunk at the SCOM ACS database to collate these events centrally. Currently when I click on "Active Directory" at the top of Splunk and then click on "Domain Controller Events" I can only see my Windows 2003 domain controller stats. I cannot see any data for my Windows 2008 R2 domain controllers. I have confirmed that there is definitely Windows 2008 R2 domain controller events within the SCOM ACS database. I'm very new to Splunk so very well might be doing something silly. Does anyone know what the SQL query is that is executed directly when I click on on "Domain Controller Events"? If I have that I can confirm that the tables in the SCOM database are correct. Otherwise has anyone seen this before?

Reply

dstaulcu
Builder
‎06-05-2014 04:18 PM

My team may end up going down this route in the future..

If ACS is anything like SCOM, portions of windows security event log data are likely spread across multiple tables. You would need to extract a view of security events and ensure that the columns match the field name and character case expected by Splunk app for Active Directory. There may also be references to SourceName, SourceType etc, so you will likely have some transform work to do if you are tailing SQL data using DBConnect.

0 Karma
Reply

ahall_splunk
Splunk Employee
Splunk Employee
‎02-04-2013 10:49 AM

This has nothing to do with Active Directory. If you want to grab the appropriate events for Active Directory, I suggest starting with the Splunk App for Active Directory. The App is available for download from splunkbase, and is documented at http://docs.splunk.com

0 Karma
Reply

ahall_splunk
Splunk Employee
Splunk Employee
‎02-06-2013 09:56 AM

That's because we don't execute an "SQL query" - with AD, no SQL is involved.

0 Karma
Reply

shaunmuir
Engager
‎02-05-2013 11:38 AM

Thank you, i wasnt suggesting the problem was with Active Directory so I'm not sure why you're suggesting it has nothing to do with AD. I asked what the SQL query was that was executed when I clicked on Active Directory events at the top of the Splunk app. Thus far, nobody has been able to tell me

0 Karma
Reply

paul_1994
Path Finder
‎01-17-2013 09:17 PM

The only suggestion I would have would be to see if you can query the data from search, to see if it is indeed collecting inside of the index.

I have not used this app before, but I wanted to see if I could get you looking for the data via indexes.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...