topic Re: How do I create a lookup with ldapsearch and use the lookup within the same search? in All Apps and Add-ons

How do I create a lookup with ldapsearch and use the lookup within the same search?

dpanych — Tue, 24 May 2016 23:30:13 GMT

My search is not returning any results..

index=_internal source="/opt/splunk/var/log/splunk/metrics.log*" sourcetype="splunkd" fwdType="*"
 [|inputlookup Servers.csv | return 9999 $name] 
| dedup sourceHost 
| table hostname, sourceHost
| search [| ldapsearch basedn="OU=ABC,OU=Servers,OU=SMG,DC=ZZZ,DC=COM" search="(&(objectClass=computer))" attrs="name,distinguishedName" | table name | sort name | outputlookup Servers.csv]

Here was my logic which doesn't work (brain is fried for the day):

ldapsearch queries ldap for the list of host names and creates a lookup
The lookup is then used in the beginning of the search to find all hosts that are reporting to Splunk.

Does that seem correct?

Re: How do I create a lookup with ldapsearch and use the lookup within the same search?

somesoni2 — Tue, 24 May 2016 23:49:01 GMT

Why don't you run your ldapsearch query separately, as scheduled search, to generate lookup and then just use it in your regular search? I don't think it will be necessary but you can schedule the ldapsearch query to run more frequently if your server list can change rather frequently.

Re: How do I create a lookup with ldapsearch and use the lookup within the same search?

woodcock — Wed, 25 May 2016 07:24:10 GMT

Assuming that the list of servers returned from the LDAP is a subset of the list of servers that are forwarding, you can use the LDAP to limit your search like this:

index=_internal source="/opt/splunk/var/log/splunk/metrics.log*" sourcetype="splunkd" fwdType="*"
[| ldapsearch basedn="OU=ABC,OU=Servers,OU=SMG,DC=ZZZ,DC=COM" search="(&(objectClass=computer))" attrs="name,distinguishedName" | dedup name | table name | rename name AS sourceHost ] 
| dedup sourceHost 
| table hostname, sourceHost

There really is no reason to save this out to a lookup, at least no reason that you have given.

Re: How do I create a lookup with ldapsearch and use the lookup within the same search?

woodcock — Wed, 25 May 2016 07:24:11 GMT

Your search, as explained, benefits not at all from the ldapseaech. As you have explained it (and attempted to implement), the base search is neither (usefully) qualified (limited) by the ldapsearch, nor is any extra host-related information added to the events from the ldapseach. So just skip the ldapsearch entirely.

Re: How do I create a lookup with ldapsearch and use the lookup within the same search?

dpanych — Wed, 25 May 2016 15:15:06 GMT

The ldapsearch query is pulling back all the hosts for a certain OU, and then I want to search the list of hosts to see if they're "talking"/reporting to Splunk. As @somesoni2 mentioned, having a scheduled search keep the host list updated would be a great alternative.

Re: How do I create a lookup with ldapsearch and use the lookup within the same search?

Simon_Mantell — Fri, 09 Sep 2016 05:59:46 GMT

You can do a join, I use it to compare hosts in AD to Splunk for missing ones

| ldapsearch search="(&(objectClass=user)(&(objectClass=computer)))" 
| table cn lastLogon description
| join type=left cn [
| inputlookup dmc_forwarder_assets | search os=Windows | table hostname, status, arch, last_connected
| rename hostname AS cn]
| eval epoch1day_ago=relative_time(now(), "-1d@d" ) 
| where (last_connected < epoch1day_ago OR isnull(last_connected) )
| eval last_connected=strftime('last_connected', "%c") 
| table cn,lastLogon,description,arch,last_connected,status