Splunk® Supporting Add-on for Active Directory

Deploy and Use the Splunk Supporting Add-on for Active Directory (SA-LDAPSearch)

This documentation does not apply to the most recent version of Splunk® Supporting Add-on for Active Directory. For documentation on the most recent version, go to the latest release.

About the Splunk Supporting Add-on for Active Directory

App Version 3.0.0
Vendor products Windows Server Active Directory (LDAP) services

The Splunk Supporting Add-on for Active Directory lets you collect Active Directory schema and other information from Active Directory as events and filter on those events.

How does it work?

The Splunk Supporting Add-on for Active Directory has the following uses:

  • To generate events based on the contents of an LDAP server such as Active Directory.
  • To augment events with information from an LDAP server such as Active Directory.
  • To perform Active Directory group expansions.

In order to use the Splunk Supporting Add-on for Active Directory, you must configure it. Read "Install the Splunk Supporting Add-on for Active Directory" to learn how.

How do I get it?

You can download the add-on from Splunkbase.

How do I upgrade from a previous version?

To upgrade from a previous version of the Splunk Supporting Add-on for Active Directory, rename ldap3 folder located in /apps/SA-ldapsearch/bin/packages directory to ldap_old on search head and then install this version directly on top of the previous version. You can use Splunk Web or the CLI, or you can upgrade it from the command line. In this version we have updated ldap3 package from v 0.9.5 to v2.5 to solve performance issues.

Note: If you have a previous version installed, on upgrade, the app maintains ldap.conf from the previous installation. When you add any new domains to search, the add-on stores the credentials securely, instead of in the ldap.conf file. If you edit an existing domain entry using the new Configuration page, it also stores those credentials securely. Existing entries that you do not edit continue to have their credentials stored locally.

What search commands come with it?

There are four search commands and one test command in this add-on. Once configured, the add-on uses the configuration for all the commands. You can learn more about the commands in the following topics:

Where can I ask questions and get help?

You can visit Splunk Answers to discuss and get help on the Splunk Supporting Add-on for Active Directory. See "How to get support and find out more information about Splunk Enterprise" for additional support options.

Last modified on 18 February, 2020
  How this add-on fits into the Splunk picture

This documentation applies to the following versions of Splunk® Supporting Add-on for Active Directory: 3.0.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters