We are testing out the Active Directory for Splunk app and are running into one issue. We are getting data in from our DCs just fine and can query ldap and get results for our searches/dashboards except for one. Under the AD app and Security menu, we select User Logon Failures. Everything in the dashboard populates except for Failed Logons by IP Address. We get No matching events found. When we do an insect, we see the following message.
DEBUG: base lispy: [ AND host::sdcfisorl01 index::main source::wineventlog:security [ OR 4625 529 530 531 532 533 534 535 536 537 539 675 [ AND 4768 audit failure ] [ AND 4771 audit failure ] ] ]
DEBUG: search context: user="admin", app="Splunk_for_ActiveDirectory", bs-pathname="C:\Program Files\Splunk\etc"
We have taken the search (eventtype=msad-failed-user-logons (host="SDCFISORL01")|fields _time,signature,src_ip,src_host,src_nt_domain,user,Logon_Type) and entered it in a search box where we get results. We can't figure out why the dashboard is not showing any data.
Any thoughts?
... View more