All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Combine base search with ldapsearch

chrispounds
Explorer
‎03-25-2020 07:55 AM

Hi All!

I have a base search that just reports users connected to a vpn service. 

index=netvpn | stats count by user

Very simple, i then want to run those users against an ldapsearch and get their employeeType and displayName, is there anyway i can subsearch to achieve this? I have already tried:

 index=netvpn sourcetype="pulse:connectsecure"
| stats count by user
[| ldapsearch domain=*obfuscated* search="(sAMAccountName=$user$)" attrs="employeeType displayName" ]
| table employeeType, displayName

But i don't get any results, am i close? Oh and the output of "user" in the base search is the sAMAccountName in Active Directory, so i shouldn't need to rename any fields.

I do also have a scheduled search running to output the base search to a csv, if it makes the process any easier!

Many thanks,
Chris

0 Karma
Reply

to4kawa
Ultra Champion
‎03-25-2020 02:53 PM 
index=netvpn sourcetype="pulse:connectsecure"
 | stats values(user) as users
 | eval user="(".mvjoin(users," OR ").")"
 | ldapsearch domain=*obfuscated* search="(sAMAccountName=$user$)" attrs="employeeType displayName" 
 | table employeeType, displayName

ldapsearch works by single value.
so, use map OR try like this.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-25-2020 10:49 AM

Subsearches run first so there is no value of $user$ available. Instead, consider the map command.

index=netvpn sourcetype="pulse:connectsecure"
| stats count by user
| map user search="| ldapsearch domain=*obfuscated* search=\"(sAMAccountName=$user$)\" attrs=\"employeeType displayName\" "
| table employeeType, displayName

Even better would be to use ldapsearch to create a lookup file that can be accessed from other searches. Run this as scheduled search each day:

| ldapsearch domain=*obfuscated* search="(sAMAccountName=*)" attrs="employeeType displayName"
| table sAMAccountName, employeeType, displayName
| outputlookup employeeTypes.csv

Then consult the lookup file. This is far faster than reaching out to LDAP many times and will keep your admins happy.

 index=netvpn sourcetype="pulse:connectsecure"
| stats count by user
| lookup employeeTypes.csv sAMAccountName
| table employeeType, displayName
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

chrispounds
Explorer
‎03-26-2020 01:33 AM

Hi Rich,

Thank you for those suggestions 🙂 Agreed yes it would be more efficient to use a lookup, so i'll definitely be looking into that method. I did just try the first suggestion (to check it pulls data) and i get the error:

Error in 'map' command: Unable to find saved search 'user'.

I'll try the lookup suggestion now 🙂

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-27-2020 05:31 AM

The map command failed because I flubbed the syntax. Try the updated answer.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...