All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to use indexes with names other than msad for the MS Windows AD Objects app?

corey_dick
Path Finder
‎06-27-2016 10:58 AM

How can you set up the MS Windows AD Objects app to use indexes with names other than msad? I can't find any documentation for that, even though the setup acts like it should work. Trying to use it with admon and some indexes that we have already created.

0 Karma
Reply

shogan_splunk
Splunk Employee
Splunk Employee
‎07-03-2016 09:48 PM

For the MS Windows AD Objects macros, reports, and Dashboards the index is defined in the ms_ad_obj_msad_data eventtype. There were a few that i unfortunately didn't see still referenced the msad index specifically, which will be updated in the next release to use the ms_ad_obj_msad_data eventtype. Below is the list of searches and dashboards that you will need to update, either by putting in your indexes, or using the ms_ad_obj_msad_data eventtype:
Reports that have index=msad specifically in them: AD Objects - Verify Baseline Data – Overall, and AD Objects - Verify Baseline Data – Completed
Dashboard that uses index=msad in Drilldown Links: AD Object - Lookup Fields Information
To update the eventtype, just navigate to Settings, eventtypes and search for ms_ad_obj_msad. Then update it with your index(s).

Example: (index=yourindex1 OR index=yourindex2 OR index=yourindex3) sourcetype=ActiveDirectory
I will fix the above Reports and Dashboards in the next release. Hopefully this helps you out.

Reply

sk314
Builder
‎06-27-2016 11:09 AM

how are you getting the data? Are you getting the data using Splunk App for Windows Infra and hte related addons? In that case, the addon's expect those indexes to be present. If you want to change that behavior, you need to make changes to the add-ons. specifically, the inputs.conf in the addons which specify the index that the data needs to be sent to. If not, please give us more information about how your logs are being collected.

0 Karma
Reply

corey_dick
Path Finder
‎06-29-2016 11:44 AM

Using admon which indexes the AD object data into several indices as we have several domains within our environment.

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...