I have installed the Splunk App for Active Directory. Now I am writing a fairly hefty user manual for the AD admins to know what information this app provides. I am frankly stuck on the naming of one report, DNS: Top Non-Authoritative Responses. In the search, it looks for all replies to DNS queries whose response was not NOERROR and whose flags equaled "A*". The fact that the search is looking for records with A in the flag actually implies that the Response is Authoritative, not non-authoritative. Seems like this report should be titled, DNS: Top Authoritative Failed Responses.
I hope someone at Splunk will read this and explain the title of the report or fix it in a future release.
Hi,
I've forwarded this report to the Windows team for triage and analysis.
In the meantime, you said you were writing a user manual for AD admins to know what information the app provides. What specific things were you looking for in the official product documentation that you didn't see?
Hi,
I've forwarded this report to the Windows team for triage and analysis.
In the meantime, you said you were writing a user manual for AD admins to know what information the app provides. What specific things were you looking for in the official product documentation that you didn't see?
I will update the ticket I opened with your additional requests. While I can't guarantee or estimate a fix, I can say that your concerns will be noted.
Thanks for your feedback. We actually have plans to include screenshots in the documentation. Responses like yours validate that need.
Was there anything else you would have liked to see in the official manual?
Malmoore, it started as a demo guide for my admins to sell the product to them. It includes screen shots for most of the screens in the app. Also, I wanted to clarify to our community what worked and didn't work using our current audit settings. I would be happy to send it to you when I am done with it tonight.
Also, I wonder if you could ask the windows group to look at the other report titles. Top hosts sending failing queries seems mistitled since the the host shown is actually sending a DNS response to a query. The host listed didn't initiate the query.
Thanks so much,
Sean