https://community.splunk.com/t5/Security/Splunk-Query-with-Ldap-Info/m-p/30364#M1005 <P>that worked out perfect, missing one " right after search=</P> <P>can you explain $src_nt_domain$ &amp; $user$, i would've assumed </P> <P>ldapfilter domain=mydomain search="(&amp;(objectClass=user)(sAMAccountName=src_user))"</P> Mon, 28 Sep 2020 13:53:04 GMT gdavid 2020-09-28T13:53:04Z https://community.splunk.com/t5/Security/Splunk-Query-with-Ldap-Info/m-p/30362#M1003 <P>I'm trying to join 2 queries together in a table</P> <P>From the Active Directory App, i took this query:</P> <P><EM>eventtype=msad-account-lockout | eval actor=if(EventCode==4767 OR EventCode==671,src_user,src_host) | eval DateTime=strftime(_time, "%c") | table DateTime,signature,user,actor | rename signature as "Action",user as User, actor as "Change On/By"</EM></P> <P>Then i wanted to get the phone numbers from ldap to call the users so i tried to append this in between with no luck.</P> <P><EM>| ldapsearch domain=</EM><EM>mydomain</EM>* search="(&amp;(objectClass=user)(sAMAccountName=<STRONG>myuser</STRONG>))" attrs="dn,mobile,telephoneNumber"*</P> <P>Errors:<BR /> Error in 'ldapsearch' command: This command must be the first command of a search.</P> <P>can anyone assist? both return results when run independently. the end goal is to setup a real time alert for the lockouts with phone numbers in the emails.</P> <P>thanks</P> Mon, 28 Sep 2020 13:52:56 GMT https://community.splunk.com/t5/Security/Splunk-Query-with-Ldap-Info/m-p/30362#M1003 gdavid 2020-09-28T13:52:56Z https://community.splunk.com/t5/Security/Splunk-Query-with-Ldap-Info/m-p/30363#M1004 <P>You need to use ldapfilter instead.</P> <P>Go into the SA-ldapsearch app and look at the documentation - it's similar to ldapsearch, but does searches against the event pipeline. You will need to add in src_nt_domain, so something like this should work:</P> <PRE><CODE>eventtype=msad-account-lockout | eval actor=if(EventCode==4767 OR EventCode=671,src_user,src_host) | ldapfilter domain=$src_nt_domain$ search=(&amp;(objectClass=user)(sAMAccountName=$user$))" attrs="mobile,telephoneNumber" | table _time,signature,user,actor,mobile,telephoneNumber | rename signature as "Action", user as "Locked User", actor as "Changed By", mobile as "Cell", telephoneNumber as "Phone" </CODE></PRE> <P>Enjoy!</P> Mon, 28 Sep 2020 13:53:01 GMT https://community.splunk.com/t5/Security/Splunk-Query-with-Ldap-Info/m-p/30363#M1004 ahall_splunk 2020-09-28T13:53:01Z https://community.splunk.com/t5/Security/Splunk-Query-with-Ldap-Info/m-p/30364#M1005 <P>that worked out perfect, missing one " right after search=</P> <P>can you explain $src_nt_domain$ &amp; $user$, i would've assumed </P> <P>ldapfilter domain=mydomain search="(&amp;(objectClass=user)(sAMAccountName=src_user))"</P> Mon, 28 Sep 2020 13:53:04 GMT https://community.splunk.com/t5/Security/Splunk-Query-with-Ldap-Info/m-p/30364#M1005 gdavid 2020-09-28T13:53:04Z https://community.splunk.com/t5/Security/Splunk-Query-with-Ldap-Info/m-p/30365#M1006 <P>nevermind, i see my mistake.</P> <P>additional note: i was getting peridoic emails with no numbers, i noticed that the active directory app doesn't seem to pick up src_nt_domain from 2008 r2 domain controller events properly. i hard-coded my domain in the ldap search as i only have 1.</P> <P>thanks for you help again.</P> Mon, 28 Sep 2020 13:53:09 GMT https://community.splunk.com/t5/Security/Splunk-Query-with-Ldap-Info/m-p/30365#M1006 gdavid 2020-09-28T13:53:09Z