How to pass search results as a token to an ldapsearch withtout using xml or lookups?

kearaspoor — Thu, 29 Oct 2015 17:13:52 GMT

Trying to get a basic search of Windows event data to cross reference with fields from ldapsearch. I'm wanting it to take the value of a field (like Account_Name) in a Windows event and use it as a token to run an ldapsearch and return the value of a particular field from AD (like an OU). Rinse and repeat for all the values from the Windows results.

I tried a join/append with the ldapsearch as the subsearch, and pondered creating a lookup table of the ldapsearch values. But we've got a very large environment (>140,000 users) that makes the subsearch/lookup-table enormous. Since the Windows search normally only returns a couple dozen events, the processing time of the ldapsearch to return all possible values completely kills the value of the search. I really need to be able to limit the ldapsearch to just he couple dozen main-search values.

How do I get <main-search with $tokenvalues$> to pass to | ldapsearch domain=mydomain search="$tokenvalues$"

Re: How to pass search results as a token to an ldapsearch withtout using xml or lookups?

javiergn — Thu, 28 Jan 2016 10:10:27 GMT

You can use map:

<main-search with $tokenvalues$>
| map search="| ldapsearch domain=mydomain search=\"$tokenvalues$\" "

Take a look at this too in case it helps:

https://answers.splunk.com/answers/349899/how-to-easily-replace-a-character-in-a-token-value.html#answer-349908

Thanks,
J

topic How to pass search results as a token to an ldapsearch withtout using xml or lookups? in Dashboards & Visualizations

How to pass search results as a token to an ldapsearch withtout using xml or lookups?

Re: How to pass search results as a token to an ldapsearch withtout using xml or lookups?