All Apps and Add-ons
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Event-level filtering based on LDAP query

dbylertbg
Path Finder
‎03-27-2013 10:51 AM

Anyone know how I can do event-level filtering that matches events based on membership in an AD group?

Specifically, I'm looking to send any and all events that have to do with the members of the "domain administrators" Active Directory group to a separate index. From there I can control permissions to that index to keep Domain Admin activity segregated. (Of course, the concept could be applied to any other AD group, OU, etc.)

Can event-level filtering be done by matching events with the results of an LDAP query, or CSV lookup, where the CSV is generated by a scheduled non-splunk job??

(Or, do I have to write a shell script to do an LDAP query and figure out how to safely update the appropriate config files using the script??)

0 Karma
Reply

cblanton
Communicator
‎04-18-2019 12:09 AM

It seems like this is exactly what ldapsearch is meant to do, but I can't figure out the search. I have my event search, then I want to filter events if the user field name matches the sAMAaccount field as memberOf an ldap group.

0 Karma
Reply

nyetley
Engager
‎01-16-2015 06:53 AM

I have the same question. Did you come up with a solution?

0 Karma
Reply

cblanton
Communicator
‎04-18-2019 08:13 AM

have you since been able to accomplish this with ldapsearch?

0 Karma
Reply

dbylertbg
Path Finder
‎01-16-2015 07:22 AM

No, I never did. Splunk support was also unable to provide a way to do this. The only thing I can think to do is to custom-write a script that does the ldap query for you and modifies a regex in the splunk configs.... but last I knew there was no built in way to do this. However -- I haven't checked to see if this might have been a new feature in recent releases.

0 Karma
Reply

dbylertbg
Path Finder
‎01-16-2015 07:24 AM

Heh... just re-read my original question... seems I'm at the same conclusion I was when I wrote the question. External script would have to be the solution.

0 Karma
Reply

cblanton
Communicator
‎04-18-2019 01:04 AM

i think this can be done now, i'm just not up to writing the search. any thoughts on how this can be done with ldapsearch?

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top