Exchange App: getting unknown domain

mikelanghorst · ‎07-03-2012

I've installed the Splunk for Exchange app. One of the issues I'm having is with users showing up with @unknown.

I've created the domain_aliases.csv on the search head, with UNKNOWN, unknown, and our netbios name, and our domain name. But it's still showing mlanghorst@unknown.

I have 2 indexers and one search head. I've thought that maybe this needs to go on the indexer, but according to the docs I should only need to install the TA* apps there.

What am I missing here? Not sure yet what records that this search is keying off of.

davidts · ‎04-11-2013

I have the same issue as OP. Was there a resolution to this? My NetBios names are not being translated to the domain and I have my domain_aliases.csv file in the "local" folder of the Exchange app on my Search Head. The format of my CSV file is similar that of OP.

Thanks.

ahall_splunk · ‎04-12-2013

Hey DavidTS,

You are not having the same problem as OP as the fix suggested repaired his problem. Open up a new question and don't forget to include your Splunk version, Exchange app version, OS version and a copy of your domain_aliases.csv file!

ahall_splunk · ‎07-04-2012

Let's say you had a domain "SPLUNK" which is really "splunk.com", then your domain_aliases.csv file would look like this:

UNKNOWN,splunk.com
SPLUNK,splunk.com

If you have

UNKNOWN,unknown
SPLUNK,splunk.com

then you would see what you are seeing.

mikelanghorst · ‎07-04-2012

UNKNOWN,caiso.com
unknown,caiso.com
ISOOA1,caiso.com

I put the lower case unknown in there after UNKNOWN didn't work. ISOOA1 is our netbios name. Yet they're still showing up as mlanghorst@unknown.

Exchange App: getting unknown domain

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...