https://community.splunk.com/t5/Getting-Data-In/Indexing/m-p/673079#M112748 <P>&nbsp;</P><LI-CODE lang="markup">| ldapsearch domain="default" search="(&amp;(samAccountType=000000000) (|(sAMAccountName=*)))" attrs="sAMAccountName, distinguishedName, userAccountControl, whenCreated, personalTitle, displayName, givenName, sn, mail, telephoneNumber, mobile, manager, department, co, l, st, accountExpires, memberOf" | rex field=memberOf "CN=(?&lt;memberOf_parsed&gt;[^,]+)" | eval memberOf=lower(replace(mvjoin(memberOf_parsed, "|"), " ", "_")) | rex max_match=5 field=distinguishedName "OU=(?&lt;dn_parsed&gt;[^,]+)" | eval category=lower(replace(mvjoin(dn_parsed, "|"), " ", "_")) | eval priority=case(match(category, "domain_admin|disabled|hold|executive") OR match(memberOf, "domain_admins|enterprise_admins|schema_admins|administrators"), "critical", match(category, "contractor|service_account|external"), "high", match(category, "employees|training|user_accounts|users|administration"), "medium", 1==1, "unknown") | eval watchlist=case(match(category,"disabled|hold"), "true", 1==1, "false") | eval startDate=strftime(strptime(whenCreated,"%Y%m%d%H%M"), "%m/%d/%Y %H:%M") | eval endDate=strftime(strptime(accountExpires,"%Y-%m-%dT%H:%M:%S%Z"), "%m/%d/%Y %H:%M") | eval work_city=mvjoin(mvappend(l, st), ", ") | rename sAMAccountName as identity, personalTitle as prefix, displayName as nick, givenName as first, sn as last, mail as email, telephoneNumber as phone,mobile as phone2, manager AS managedBy, department as bunit, co AS work_country | fillnull value="unknown" category, priority, bunit | table identity,prefix,nick,first,last,suffix,email,phone,phone2,managedBy,priority,bunit,category,watchlist,startDate,endDate,work_city,work_country,work_lat,work_long | outputcsv xyz.csv</LI-CODE><P>&nbsp;</P><P>this the search that is being used to generate a csv file, and yes, it's same addon as you mentioned.&nbsp;<BR />I believe you're right that &gt; they're writing to a directory (on the same host as HF) And ingesting it by using a input. conf file.&nbsp;<BR />Because in cloud we cannot monitor directories directly from cloud instance.&nbsp;<BR />Correct me? thanks</P> Tue, 02 Jan 2024 22:18:25 GMT vishenps 2024-01-02T22:18:25Z https://community.splunk.com/t5/Getting-Data-In/Indexing/m-p/673057#M112742 <P>Hi folks,&nbsp;<BR />Happy new year to you all:-)<BR /><BR />In my org the Splunk deployment is as follows:<BR /><BR />Heavy forwarders running (HF1, HF2) &gt; Collecting data from directories, HTTP &gt; Sent to Splunk cloud (2 search heads).<BR /><BR />Case: We have Active Directory add on HF1&gt;which establishes connection to AD&gt; write a CSV file in var/* of the host and &gt; being indexed to the cloud.&nbsp;<BR /><BR />admin said we have input which write data to index=asset_identity : I AM NOT SURE WHAT THE ADMIN WAS REFFERING TO? IS IT CONF FILE ON HF?&nbsp;<BR /><BR /></P> Tue, 02 Jan 2024 20:29:31 GMT https://community.splunk.com/t5/Getting-Data-In/Indexing/m-p/673057#M112742 vishenps 2024-01-02T20:29:31Z https://community.splunk.com/t5/Getting-Data-In/Indexing/m-p/673071#M112746 <P>Can you clarify what technical addon you're using? Also, couldn't you ask your admin to clarify on the question you have originally?</P><P>If you're using this addon <A href="https://splunkbase.splunk.com/app/1151" target="_self">here</A>, then you can write a search using the LDAP command to write to an index with the collect command. Otherwise, whatever you're doing with the CSV file and then having a file monitoring to ingest the CSV is the long way to do it.</P> Tue, 02 Jan 2024 21:14:38 GMT https://community.splunk.com/t5/Getting-Data-In/Indexing/m-p/673071#M112746 m_pham 2024-01-02T21:14:38Z https://community.splunk.com/t5/Getting-Data-In/Indexing/m-p/673079#M112748 <P>&nbsp;</P><LI-CODE lang="markup">| ldapsearch domain="default" search="(&amp;(samAccountType=000000000) (|(sAMAccountName=*)))" attrs="sAMAccountName, distinguishedName, userAccountControl, whenCreated, personalTitle, displayName, givenName, sn, mail, telephoneNumber, mobile, manager, department, co, l, st, accountExpires, memberOf" | rex field=memberOf "CN=(?&lt;memberOf_parsed&gt;[^,]+)" | eval memberOf=lower(replace(mvjoin(memberOf_parsed, "|"), " ", "_")) | rex max_match=5 field=distinguishedName "OU=(?&lt;dn_parsed&gt;[^,]+)" | eval category=lower(replace(mvjoin(dn_parsed, "|"), " ", "_")) | eval priority=case(match(category, "domain_admin|disabled|hold|executive") OR match(memberOf, "domain_admins|enterprise_admins|schema_admins|administrators"), "critical", match(category, "contractor|service_account|external"), "high", match(category, "employees|training|user_accounts|users|administration"), "medium", 1==1, "unknown") | eval watchlist=case(match(category,"disabled|hold"), "true", 1==1, "false") | eval startDate=strftime(strptime(whenCreated,"%Y%m%d%H%M"), "%m/%d/%Y %H:%M") | eval endDate=strftime(strptime(accountExpires,"%Y-%m-%dT%H:%M:%S%Z"), "%m/%d/%Y %H:%M") | eval work_city=mvjoin(mvappend(l, st), ", ") | rename sAMAccountName as identity, personalTitle as prefix, displayName as nick, givenName as first, sn as last, mail as email, telephoneNumber as phone,mobile as phone2, manager AS managedBy, department as bunit, co AS work_country | fillnull value="unknown" category, priority, bunit | table identity,prefix,nick,first,last,suffix,email,phone,phone2,managedBy,priority,bunit,category,watchlist,startDate,endDate,work_city,work_country,work_lat,work_long | outputcsv xyz.csv</LI-CODE><P>&nbsp;</P><P>this the search that is being used to generate a csv file, and yes, it's same addon as you mentioned.&nbsp;<BR />I believe you're right that &gt; they're writing to a directory (on the same host as HF) And ingesting it by using a input. conf file.&nbsp;<BR />Because in cloud we cannot monitor directories directly from cloud instance.&nbsp;<BR />Correct me? thanks</P> Tue, 02 Jan 2024 22:18:25 GMT https://community.splunk.com/t5/Getting-Data-In/Indexing/m-p/673079#M112748 vishenps 2024-01-02T22:18:25Z