Splunk Search

Script for lookup table 'ad_username' returned error code 1

jbreu
Explorer

We have installed the Splunk App for Exchange and for a while, we were getting some really great information. The other day we started getting the following error and a lot of the information when we would dive into subjects would be missing:

[server xxx] Script for lookup table 'ad_username' returned error code 1. Results may be incorrect.

There were no changes made to the deployment before this started happening that I am aware of.

Has anyone experienced this before or have an idea as to what can be done to fix the issue?

Thanks,
Jeff

0 Karma
1 Solution

jbreu
Explorer

We opened a case on this issue with support and went through the different configurations you mentioned above to no avail.

We ended up copying the Exchange app folder from one server to the other which ended up resolving the 'ad_username' error we were seeing.

Not sure as to what changed or what really broke, but something was different on the server throwing the error.

View solution in original post

0 Karma

jbreu
Explorer

We opened a case on this issue with support and went through the different configurations you mentioned above to no avail.

We ended up copying the Exchange app folder from one server to the other which ended up resolving the 'ad_username' error we were seeing.

Not sure as to what changed or what really broke, but something was different on the server throwing the error.

0 Karma

ahall_splunk
Splunk Employee
Splunk Employee

Something has changed on your deployment.

The ad_username lookup is defined in Splunk_for_Exchange/default/transforms.conf and it's job is to normalize the username being presented in the IIS or message tracking logs into something that you can search for repeatedly. Lots of things break when this breaks. A few things to check:

1) Do a search in index=_internal to see if the script is mentioned with a more specific error message.
2) Check the permissions on the script itself (it's in the bin directory), plus the domain_aliases.csv file and the active_directory.csv file (the latter is an optional file, so you may not have one).
3) Ensure there are no blank lines in either of the CSV files.
4) Create an example CSV file to drive the lookup. It should have two fields - cs_username and user_subject. An example might be:

cs_username,user_subject
YOURDOMAIN\user
user
user@yourdomain.com

Once you have this, you can feed this into the lookup and check the output, or errors. You do this with the following command line:

splunk cmd python bin/ad_username.py < yourtestfile.csv

Alter the paths according to where the files are stored. In this example, I created the file in the Splunk_for_Exchange directory and ran the command from there.

If this doesn't point to the error, then please post the app version and splunk version. Also, if you have Splunk Support, then please open a case with our Support group for more specific assistance.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...