Install the Splunk Supporting Add-on for Active Directory
This topic provides instruction on how to install the Splunk Supporting Add-on for Active Directory.
Where to install it
The Splunk Supporting Add-on for Active Directory is designed to be installed across a distributed Splunk platform deployment. It can be installed on:
- Search heads
- Search peers when you want to distribute LDAP queries across those peers. Like the search head, the search peers must have access to Active Directory for this to work. If your indexers act as search peers, install the add-on on the indexers. See Install SA-LDAPsearch on the search head and all search peers in this manual for details.
- Heavy forwarders. The Splunk Supporting Add-on for Active Directory does not perform any function when you install it on a universal or light forwarder.
|Search peers (Indexers)
|Search peers (Indexers)
In a distributed deployment, install SA-LDAPSearch on the indexer to avoid the following errors:
External search command 'ldapfilter' returned error code 1. Script output = " ERROR The default configuration stanza for ldap.conf is missing.
The default configuration stanza for ldap.conf is missing: HTTP 404 Not Found - Application does not exist: SA-ldapsearch
How to install it
In most situations, you can download and install the add-on by using either Splunkbase or the CLI.
Once you install it, you must then configure it.
Install the add-on from the command line
On Splunk Enterprise, you can install the add-on from the command line, using the CLI.
To install the Splunk Add-on for Windows from the command line:
1. Download the Splunk Supporting Add-on for Active Directory from Splunk Apps, if you haven't already.
Note: If you have access to the Internet and have a valid link to where the app package resides, you can use the
splunk install command to install the app directly from the Internet:
> cd Program Files\Splunk\bin > .\splunk install http://server.com:80/files/splunk-support-for-active-directory-xxxx.tar,gz
In this case, you can then proceed to Step 3.
2. Run the
splunk install CLI command:
> cd Program Files\splunk\bin > .\splunk install app <path>\splunk-support-for-active-directory-xxxx.tar.gz App 'sa-ldapsearch' is installed.
Note: You might have to log into your Splunk Enterprise instance before it installs the app.
Install the add-on using Splunkbase
Install the Splunk Supporting add-on for Active Directory only on full instances of Splunk Enterprise. The most common use case for this method of installation is to provide support for another app installed on the same machine. The add-on is not available for installation on universal forwarders or light forwarders.
To install the Splunk Supporting Add-on for Active Directory:
- Download the Splunk Supporting Add-on for Active Directory from Splunkbase, if you haven't already.
The file downloads with a
.tar.gzextension. Do not run this file.
- Log into Splunk Web on the Splunk Enterprise instance on which you want to install the app.
- Once logged in, click 'App from the menu bar.
- Click Manage apps...
- On the next page, click the Install app from file button.
- On the upload screen, click Browse...
- Select the downloaded
- Click Open.
- Click Upload.
Splunk Enterprise opens the
splunk-support-for-active-directory-xxxx.tar.gzpackage and installs the application.
- Click the Restart Splunk button or the link in the banner to restart Splunk.
- A dialog box asking you if you are sure you want to restart Splunk may appear. Click OK to restart Splunk.
- Once Splunk restarts, click OK to return to the Splunk login page.
- Configure the Splunk Supporting Add-on for Active Directory.
Install the Splunk Supporting Add-on for Active Directory on the deployer
- In a web browser, proceed to the Splunk Supporting Add-on for Active Directory.
- Click the download link to begin the download process. You might need to sign in with your Splunk account before the download starts.
- When prompted, choose an accessible location on your deployment server to save the download. Do not attempt to run the download.
- Use an archive utility such as WinZip or tar to unarchive the file to the
%SPLUNK_HOME%/etc/shcluster/appsdirectory on the deployer.
- Run the following command to push the changed configurations to the members:
%SPLUNK_HOME%/bin/splunk apply shcluster-bundle -target https://<SH_IP>:<management_port>
"Don't configure the add-on using the UI on the deployer if you want to push configurations to search head cluster."
Platform and hardware requirements
Configure the Splunk Supporting Add-on for Active Directory
This documentation applies to the following versions of Splunk® Supporting Add-on for Active Directory: 3.0.8