Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: Event-level filtering based on LDAP query
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Event-level filtering based on LDAP query
Anyone know how I can do event-level filtering that matches events based on membership in an AD group?
Specifically, I'm looking to send any and all events that have to do with the members of the "domain administrators" Active Directory group to a separate index. From there I can control permissions to that index to keep Domain Admin activity segregated. (Of course, the concept could be applied to any other AD group, OU, etc.)
Can event-level filtering be done by matching events with the results of an LDAP query, or CSV lookup, where the CSV is generated by a scheduled non-splunk job??
(Or, do I have to write a shell script to do an LDAP query and figure out how to safely update the appropriate config files using the script??)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It seems like this is exactly what ldapsearch is meant to do, but I can't figure out the search. I have my event search, then I want to filter events if the user field name matches the sAMAaccount field as memberOf an ldap group.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have the same question. Did you come up with a solution?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
have you since been able to accomplish this with ldapsearch?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, I never did. Splunk support was also unable to provide a way to do this. The only thing I can think to do is to custom-write a script that does the ldap query for you and modifies a regex in the splunk configs.... but last I knew there was no built in way to do this. However -- I haven't checked to see if this might have been a new feature in recent releases.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Heh... just re-read my original question... seems I'm at the same conclusion I was when I wrote the question. External script would have to be the solution.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i think this can be done now, i'm just not up to writing the search. any thoughts on how this can be done with ldapsearch?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
