So we're having this issue where all of our active directory events are coming back as having multiple duplicates of the same event. We had an issue with the Service accounts splunk used but all the domains we want to query can be queried now. Confirmed via ldaptestconnection.

But this is specifically happening with searches relating to ldapfilter, below is the search we use,

Note : the ldap_doamins.csv contains all the domains we have and what splunk so search.

| inputlookup ldap_domains.csv WHERE enabled=1
| fields - enabled
| ldapfilter search="(&(memberOf:1.2.840.113556.1.4.1941:=CN=Backup Operators,CN=Builtin,$baseDN$))" domain=$domain$ attrs="name,sAMAccountName,objectCategory,objectClass,objectSID"
| tojson
| eval _raw = replace(_raw,"^{","{\"query_type\":\"activedirectory:admin_groups\",\"taskid\":\"".now()."\",\"admin_group_dn\":\"CN=Backup Operators,CN=Builtin,".baseDN."\",")
| eval _raw = replace(_raw,"\:\[\]",":\"\"")
| foreach *
[
| eval _raw=replace(_raw,"<<FIELD>>", lower("<<FIELD>>"))
]
| fields _raw
| collect `activedirectory_index` output_format=hec