All Apps and Add-ons

Combine base search with ldapsearch

chrispounds
Explorer

Hi All!

I have a base search that just reports users connected to a vpn service.

index=netvpn | stats count by user

Very simple, i then want to run those users against an ldapsearch and get their employeeType and displayName, is there anyway i can subsearch to achieve this? I have already tried:

 index=netvpn sourcetype="pulse:connectsecure"
| stats count by user
[| ldapsearch domain=*obfuscated* search="(sAMAccountName=$user$)" attrs="employeeType displayName" ]
| table employeeType, displayName

But i don't get any results, am i close? Oh and the output of "user" in the base search is the sAMAccountName in Active Directory, so i shouldn't need to rename any fields.

I do also have a scheduled search running to output the base search to a csv, if it makes the process any easier!

Many thanks,
Chris

0 Karma

to4kawa
Ultra Champion
index=netvpn sourcetype="pulse:connectsecure"
 | stats values(user) as users
 | eval user="(".mvjoin(users," OR ").")"
 | ldapsearch domain=*obfuscated* search="(sAMAccountName=$user$)" attrs="employeeType displayName" 
 | table employeeType, displayName

ldapsearch works by single value.
so, use map OR try like this.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Subsearches run first so there is no value of $user$ available. Instead, consider the map command.

index=netvpn sourcetype="pulse:connectsecure"
| stats count by user
| map user search="| ldapsearch domain=*obfuscated* search=\"(sAMAccountName=$user$)\" attrs=\"employeeType displayName\" "
| table employeeType, displayName

Even better would be to use ldapsearch to create a lookup file that can be accessed from other searches. Run this as scheduled search each day:

| ldapsearch domain=*obfuscated* search="(sAMAccountName=*)" attrs="employeeType displayName"
| table sAMAccountName, employeeType, displayName
| outputlookup employeeTypes.csv

Then consult the lookup file. This is far faster than reaching out to LDAP many times and will keep your admins happy.

 index=netvpn sourcetype="pulse:connectsecure"
| stats count by user
| lookup employeeTypes.csv sAMAccountName
| table employeeType, displayName
---
If this reply helps you, Karma would be appreciated.
0 Karma

chrispounds
Explorer

Hi Rich,

Thank you for those suggestions 🙂 Agreed yes it would be more efficient to use a lookup, so i'll definitely be looking into that method. I did just try the first suggestion (to check it pulls data) and i get the error:

Error in 'map' command: Unable to find saved search 'user'. 

I'll try the lookup suggestion now 🙂

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The map command failed because I flubbed the syntax. Try the updated answer.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2023 Splunk Career Impact Report

We’ve been shouting it from the rooftops! The findings from the 2023 Splunk Career Impact Report showing that ...

Splunk Lantern | Getting Started with Edge Processor, Machine Learning Toolkit ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...